Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » Access Denied error while edit some of the GPOs in Windows 2003 AD
Access Denied error while edit some of the GPOs in Windows 2003 AD [message #411632] Sun, 14 March 2010 06:21 Go to next message
Laljeev M  is currently offline Laljeev M
Messages: 33
Registered: August 2009
Member
Hi

We are unable to edit some of the GPOs (Default Domain Policy, etc) and
getting Access Denied error. We checked the permission of SYSVOL folder and
found Administrators (Domain), System and Authenticated Users have full
control share permissions. Full access has been provided to Administrators,
creator owner & System and read & execute permission has been provided to
Authenticated users in Security tab.

Can anyone help me to resolve the issue and also any doc is available to
check the correct permissions with SYSVOL.

Thanks in advance for help

Regards
Lal
--
----Server Management Team----
Re: Access Denied error while edit some of the GPOs in Windows 2003 AD [message #411635 is a reply to message #411632] Sun, 14 March 2010 06:31 Go to previous messageGo to next message
meiweb  is currently offline meiweb  Germany
Messages: 2225
Registered: September 2009
Senior Member
Hello Laljeev,

The permissions at the moment sounds ok for me. Please run dcdiag /v on the
DCs and post the output here. Are you working on the DCs directly or from
a workstation with adminpak installed?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hi
>
> We are unable to edit some of the GPOs (Default Domain Policy, etc)
> and getting Access Denied error. We checked the permission of SYSVOL
> folder and found Administrators (Domain), System and Authenticated
> Users have full control share permissions. Full access has been
> provided to Administrators, creator owner & System and read & execute
> permission has been provided to Authenticated users in Security tab.
>
> Can anyone help me to resolve the issue and also any doc is available
> to check the correct permissions with SYSVOL.
>
> Thanks in advance for help
>
> Regards
> Lal
Re: Access Denied error while edit some of the GPOs in Windows 200 [message #411711 is a reply to message #411635] Sun, 14 March 2010 10:24 Go to previous messageGo to next message
Laljeev M  is currently offline Laljeev M
Messages: 33
Registered: August 2009
Member
Hi

Below is the output from dcdiag/v, I'm accessing the server through terminal
service (mstsc -admin). One of our DCs is down from this morning (jpdc02)

____________________


Domain Controller Diagnosis

Performing initial setup:
* Verifying that the local machine rpdc04, is a DC.
* Connecting to directory service on server rpdc04.
* Collecting site info.
* Identifying all servers.
* Identifying all NC cross-refs.
* Found 4 DC(s). Testing 1 of them.
Done gathering initial info.

Doing initial required tests

Testing server: RHO\rpdc04
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
......................... rpdc04 passed test Connectivity

Doing primary tests

Testing server: RHO\rpdc04
Starting test: Replications
* Replications Check
[Replications Check,rpdc04] No replication recently attempted:
From dbdc01 to rpdc04
Naming Context: DC=ForestDnsZones,DC=mycompany,DC=com
The last attempt occurred at 2010-03-14 15:47:00 (about 3 hours
ago).
[Replications Check,rpdc04] A recent replication attempt failed:
From jpdc02 to rpdc04
Naming Context: DC=ForestDnsZones,DC=mycompany,DC=com
The replication generated an error (1256):
The remote system is not available. For information about
network troubleshooting, see Windows Help.
The failure occurred at 2010-03-14 18:54:08.
The last success occurred at 2010-03-13 12:17:32.
122 failures have occurred since the last success.
[Replications Check,rpdc04] A recent replication attempt failed:
From jpdc02 to rpdc04
Naming Context: DC=DomainDnsZones,DC=mycompany,DC=com
The replication generated an error (1256):
The remote system is not available. For information about
network troubleshooting, see Windows Help.
The failure occurred at 2010-03-14 18:54:08.
The last success occurred at 2010-03-13 12:17:32.
122 failures have occurred since the last success.
[Replications Check,rpdc04] A recent replication attempt failed:
From jpdc02 to rpdc04
Naming Context: CN=Schema,CN=Configuration,DC=mycompany,DC=com
The replication generated an error (1727):
The remote procedure call failed and did not execute.
The failure occurred at 2010-03-14 18:46:47.
The last success occurred at 2010-03-13 12:17:31.
121 failures have occurred since the last success.
[Replications Check,rpdc04] A recent replication attempt failed:
From jpdc02 to rpdc04
Naming Context: CN=Configuration,DC=mycompany,DC=com
The replication generated an error (1727):
The remote procedure call failed and did not execute.
The failure occurred at 2010-03-14 19:01:22.
The last success occurred at 2010-03-13 12:17:24.
122 failures have occurred since the last success.
[Replications Check,rpdc04] A recent replication attempt failed:
From jpdc02 to rpdc04
Naming Context: DC=mycompany,DC=com
The replication generated an error (1727):
The remote procedure call failed and did not execute.
The failure occurred at 2010-03-14 18:54:08.
The last success occurred at 2010-03-13 12:17:23.
11 failures have occurred since the last success.
rpdc04: There are 21 replication work items in the queue.
REPLICATION LATENCY WARNING
rpdc04: A long-running replication operation is in progress
The job has been executing for 5 minutes and 2 seconds.
Replication of new changes along this path will be delayed.
Error: Higher priority replications are being blocked
Enqueued 2010-03-14 18:47:22 at priority 170
Op: SYNC FROM SOURCE
NC CN=Schema,CN=Configuration,DC=mycompany,DC=com
DSADN CN=NTDS
Settings,CN=jpdc02,CN=Servers,CN=JED,CN=Sites,CN=Configurati on,DC=mycompany,DC=com
DSA transport addr
f9f5b45f-b5e6-4302-9e97-069c79fd1585._msdcs.mycompany.com
* Replication Latency Check
REPLICATION-RECEIVED LATENCY WARNING
rpdc04: Current time is 2010-03-14 19:06:31.
DC=ForestDnsZones,DC=mycompany,DC=com
Last replication recieved from jpdc02 at 2010-03-13 12:18:23.
Latency information for 12 entries in the vector were ignored.
12 were retired Invocations. 0 were either: read-only
replicas and are not verifiably latent, or dc's no longer replicating this
nc. 0 had no latency information (Win2K DC).
DC=DomainDnsZones,DC=mycompany,DC=com
Last replication recieved from jpdc02 at 2010-03-13 12:18:22.
Latency information for 12 entries in the vector were ignored.
12 were retired Invocations. 0 were either: read-only
replicas and are not verifiably latent, or dc's no longer replicating this
nc. 0 had no latency information (Win2K DC).
CN=Schema,CN=Configuration,DC=mycompany,DC=com
Last replication recieved from jpdc02 at 2010-03-13 12:18:22.
Latency information for 19 entries in the vector were ignored.
19 were retired Invocations. 0 were either: read-only
replicas and are not verifiably latent, or dc's no longer replicating this
nc. 0 had no latency information (Win2K DC).
CN=Configuration,DC=mycompany,DC=com
Last replication recieved from jpdc02 at 2010-03-13 12:18:21.
Latency information for 19 entries in the vector were ignored.
19 were retired Invocations. 0 were either: read-only
replicas and are not verifiably latent, or dc's no longer replicating this
nc. 0 had no latency information (Win2K DC).
DC=mycompany,DC=com
Last replication recieved from jpdc02 at 2010-03-13 12:18:22.
Latency information for 18 entries in the vector were ignored.
18 were retired Invocations. 0 were either: read-only
replicas and are not verifiably latent, or dc's no longer replicating this
nc. 0 had no latency information (Win2K DC).
......................... rpdc04 passed test Replications
Test omitted by user request: Topology
Test omitted by user request: CutoffServers
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC rpdc04.
* Security Permissions Check for
DC=ForestDnsZones,DC=mycompany,DC=com
(NDNC,Version 2)
* Security Permissions Check for
DC=DomainDnsZones,DC=mycompany,DC=com
(NDNC,Version 2)
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=mycompany,DC=com
(Schema,Version 2)
* Security Permissions Check for
CN=Configuration,DC=mycompany,DC=com
(Configuration,Version 2)
* Security Permissions Check for
DC=mycompany,DC=com
(Domain,Version 2)
......................... rpdc04 passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
Verified share \\rpdc04\netlogon
Verified share \\rpdc04\sysvol
......................... rpdc04 passed test NetLogons
Starting test: Advertising
The DC rpdc04 is advertising itself as a DC and having a DS.
The DC rpdc04 is advertising as an LDAP server
The DC rpdc04 is advertising as having a writeable directory
The DC rpdc04 is advertising as a Key Distribution Center
The DC rpdc04 is advertising as a time server
The DS rpdc04 is advertising as a GC.
......................... rpdc04 passed test Advertising
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS
Settings,CN=rpdc03,CN=Servers,CN=RHO,CN=Sites,CN=Configurati on,DC=mycompany,DC=com
Role Domain Owner = CN=NTDS
Settings,CN=rpdc03,CN=Servers,CN=RHO,CN=Sites,CN=Configurati on,DC=mycompany,DC=com
Role PDC Owner = CN=NTDS
Settings,CN=rpdc03,CN=Servers,CN=RHO,CN=Sites,CN=Configurati on,DC=mycompany,DC=com
Role Rid Owner = CN=NTDS
Settings,CN=rpdc03,CN=Servers,CN=RHO,CN=Sites,CN=Configurati on,DC=mycompany,DC=com
Role Infrastructure Update Owner = CN=NTDS
Settings,CN=rpdc03,CN=Servers,CN=RHO,CN=Sites,CN=Configurati on,DC=mycompany,DC=com
......................... rpdc04 passed test KnowsOfRoleHolders
Starting test: RidManager
* Available RID Pool for the Domain is 22603 to 1073741823
* rpdc03.mycompany.com is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 20103 to 20602
* rIDPreviousAllocationPool is 20103 to 20602
* rIDNextRID: 20266
......................... rpdc04 passed test RidManager
Starting test: MachineAccount
Checking machine account for DC rpdc04 on DC rpdc04.
* SPN found :LDAP/rpdc04.mycompany.com/mycompany.com
* SPN found :LDAP/rpdc04.mycompany.com
* SPN found :LDAP/rpdc04
* SPN found :LDAP/rpdc04.mycompany.com/mycompany
* SPN found
:LDAP/25671f81-8b4c-404c-991f-e5ae1eb35d62._msdcs.mycompany. com
* SPN found
:E3514235-4B06-11D1-AB04-00C04FC2DCD2/25671f81-8b4c-404c-991 f-e5ae1eb35d62/mycompany.com
* SPN found :HOST/rpdc04.mycompany.com/mycompany.com
* SPN found :HOST/rpdc04.mycompany.com
* SPN found :HOST/rpdc04
* SPN found :HOST/rpdc04.mycompany.com/mycompany
* SPN found :GC/rpdc04.mycompany.com/mycompany.com
......................... rpdc04 passed test MachineAccount
Starting test: Services
* Checking Service: Dnscache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: RpcSs
* Checking Service: w32time
* Checking Service: NETLOGON
......................... rpdc04 passed test Services
Test omitted by user request: OutboundSecureChannels
Starting test: ObjectsReplicated
rpdc04 is in domain DC=mycompany,DC=com
Checking for CN=rpdc04,OU=Domain Controllers,DC=mycompany,DC=com in
domain DC=mycompany,DC=com on 1 servers
Object is up-to-date on all servers.
Checking for CN=NTDS
Settings,CN=rpdc04,CN=Servers,CN=RHO,CN=Sites,CN=Configurati on,DC=mycompany,DC=com in domain CN=Configuration,DC=mycompany,DC=com on 1 servers
Object is up-to-date on all servers.
......................... rpdc04 passed test ObjectsReplicated
Starting test: frssysvol
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... rpdc04 passed test frssysvol
Starting test: frsevent
* The File Replication Service Event log test
There are warning or error events within the last 24 hours after the

SYSVOL has been shared. Failing SYSVOL replication problems may
cause

Group Policy problems.
An Warning Event occured. EventID: 0x800034C4
Time Generated: 03/14/2010 14:22:14
(Event String could not be retrieved)
......................... rpdc04 failed test frsevent
Starting test: kccevent
* The KCC Event log test
An Warning Event occured. EventID: 0x8000061E
Time Generated: 03/14/2010 18:52:28
Event String: All domain controllers in the following site that

can replicate the directory partition over this

transport are currently unavailable.



Site:

CN=JED,CN=Sites,CN=Configuration,DC=mycompany,DC=com



Directory partition:

DC=mycompany,DC=com

Transport:

CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=mycompany,DC=com


An Error Event occured. EventID: 0xC000051F
Time Generated: 03/14/2010 18:52:28
Event String: The Knowledge Consistency Checker (KCC) has

detected problems with the following directory

partition.



Directory partition:

DC=mycompany,DC=com



There is insufficient site connectivity

information in Active Directory Sites and

Services for the KCC to create a spanning tree

replication topology. Or, one or more domain

controllers with this directory partition are

unable to replicate the directory partition

information. This is probably due to inaccessible

domain controllers.



User Action

Use Active Directory Sites and Services to

perform one of the following actions:

- Publish sufficient site connectivity

information so that the KCC can determine a route

by which this directory partition can reach this

site. This is the preferred option.

- Add a Connection object to a domain controller

that contains the directory partition in this

site from a domain controller that contains the

same directory partition in another site.



If neither of the Active Directory Sites and

Services tasks correct this condition, see

previous events logged by the KCC that identify

the inaccessible domain controllers.
An Warning Event occured. EventID: 0x80000749
Time Generated: 03/14/2010 18:52:28
Event String: The Knowledge Consistency Checker (KCC) was

unable to form a complete spanning tree network

topology. As a result, the following list of

sites cannot be reached from the local site.



Sites:

CN=JED,CN=Sites,CN=Configuration,DC=mycompany,DC=com
















An Warning Event occured. EventID: 0x8000061E
Time Generated: 03/14/2010 18:52:28
Event String: All domain controllers in the following site that

can replicate the directory partition over this

transport are currently unavailable.



Site:

CN=JED,CN=Sites,CN=Configuration,DC=mycompany,DC=com



Directory partition:

DC=ForestDnsZones,DC=mycompany,DC=com

Transport:

CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=mycompany,DC=com


An Error Event occured. EventID: 0xC000051F
Time Generated: 03/14/2010 18:52:28
Event String: The Knowledge Consistency Checker (KCC) has

detected problems with the following directory

partition.



Directory partition:

DC=ForestDnsZones,DC=mycompany,DC=com



There is insufficient site connectivity

information in Active Directory Sites and

Services for the KCC to create a spanning tree

replication topology. Or, one or more domain

controllers with this directory partition are

unable to replicate the directory partition

information. This is probably due to inaccessible

domain controllers.



User Action

Use Active Directory Sites and Services to

perform one of the following actions:

- Publish sufficient site connectivity

information so that the KCC can determine a route

by which this directory partition can reach this

site. This is the preferred option.

- Add a Connection object to a domain controller

that contains the directory partition in this

site from a domain controller that contains the

same directory partition in another site.



If neither of the Active Directory Sites and

Services tasks correct this condition, see

previous events logged by the KCC that identify

the inaccessible domain controllers.
An Warning Event occured. EventID: 0x80000749
Time Generated: 03/14/2010 18:52:28
Event String: The Knowledge Consistency Checker (KCC) was

unable to form a complete spanning tree network

topology. As a result, the following list of

sites cannot be reached from the local site.



Sites:

CN=JED,CN=Sites,CN=Configuration,DC=mycompany,DC=com
















An Warning Event occured. EventID: 0x8000061E
Time Generated: 03/14/2010 18:52:28
Event String: All domain controllers in the following site that

can replicate the directory partition over this

transport are currently unavailable.



Site:

CN=JED,CN=Sites,CN=Configuration,DC=mycompany,DC=com



Directory partition:

DC=DomainDnsZones,DC=mycompany,DC=com

Transport:

CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=mycompany,DC=com


An Error Event occured. EventID: 0xC000051F
Time Generated: 03/14/2010 18:52:28
Event String: The Knowledge Consistency Checker (KCC) has

detected problems with the following directory

partition.



Directory partition:

DC=DomainDnsZones,DC=mycompany,DC=com



There is insufficient site connectivity

information in Active Directory Sites and

Services for the KCC to create a spanning tree

replication topology. Or, one or more domain

controllers with this directory partition are

unable to replicate the directory partition

information. This is probably due to inaccessible

domain controllers.



User Action

Use Active Directory Sites and Services to

perform one of the following actions:

- Publish sufficient site connectivity

information so that the KCC can determine a route

by which this directory partition can reach this

site. This is the preferred option.

- Add a Connection object to a domain controller

that contains the directory partition in this

site from a domain controller that contains the

same directory partition in another site.



If neither of the Active Directory Sites and

Services tasks correct this condition, see

previous events logged by the KCC that identify

the inaccessible domain controllers.
An Warning Event occured. EventID: 0x80000749
Time Generated: 03/14/2010 18:52:28
Event String: The Knowledge Consistency Checker (KCC) was

unable to form a complete spanning tree network

topology. As a result, the following list of

sites cannot be reached from the local site.



Sites:

CN=JED,CN=Sites,CN=Configuration,DC=mycompany,DC=com
















An Warning Event occured. EventID: 0x8000061E
Time Generated: 03/14/2010 18:52:28
Event String: All domain controllers in the following site that

can replicate the directory partition over this

transport are currently unavailable.



Site:

CN=JED,CN=Sites,CN=Configuration,DC=mycompany,DC=com



Directory partition:

CN=Configuration,DC=mycompany,DC=com

Transport:

CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=mycompany,DC=com


An Error Event occured. EventID: 0xC000051F
Time Generated: 03/14/2010 18:52:28
Event String: The Knowledge Consistency Checker (KCC) has

detected problems with the following directory

partition.



Directory partition:

CN=Configuration,DC=mycompany,DC=com



There is insufficient site connectivity

information in Active Directory Sites and

Services for the KCC to create a spanning tree

replication topology. Or, one or more domain

controllers with this directory partition are

unable to replicate the directory partition

information. This is probably due to inaccessible

domain controllers.



User Action

Use Active Directory Sites and Services to

perform one of the following actions:

- Publish sufficient site connectivity

information so that the KCC can determine a route

by which this directory partition can reach this

site. This is the preferred option.

- Add a Connection object to a domain controller

that contains the directory partition in this

site from a domain controller that contains the

same directory partition in another site.



If neither of the Active Directory Sites and

Services tasks correct this condition, see

previous events logged by the KCC that identify

the inaccessible domain controllers.
An Warning Event occured. EventID: 0x80000749
Time Generated: 03/14/2010 18:52:28
Event String: The Knowledge Consistency Checker (KCC) was

unable to form a complete spanning tree network

topology. As a result, the following list of

sites cannot be reached from the local site.



Sites:

CN=JED,CN=Sites,CN=Configuration,DC=mycompany,DC=com
















......................... rpdc04 failed test kccevent
Starting test: systemlog
* The System Event log test
An Error Event occured. EventID: 0x0000165B
Time Generated: 03/14/2010 18:28:42
Event String: The session setup from computer 'RIYDTP110'

failed because the security database does not

contain a trust account 'RIYDTP110$' referenced

by the specified computer.



USER ACTION

If this is the first occurrence of this event for

the specified computer and account, this may be a

transient issue that doesn't require any action

at this time. Otherwise, the following steps may

be taken to resolve this problem:



If 'RIYDTP110$' is a legitimate machine account

for the computer 'RIYDTP110', then 'RIYDTP110'

should be rejoined to the domain.



If 'RIYDTP110$' is a legitimate interdomain trust

account, then the trust should be recreated.



Otherwise, assuming that 'RIYDTP110$' is not a

legitimate account, the following action should

be taken on 'RIYDTP110':



If 'RIYDTP110' is a Domain Controller, then the

trust associated with 'RIYDTP110$' should be

deleted.



If 'RIYDTP110' is not a Domain Controller, it

should be disjoined from the domain.
An Error Event occured. EventID: 0x000016AD
Time Generated: 03/14/2010 18:33:21
Event String: The session setup from the computer RIYDTP110

failed to authenticate. The following error

occurred:

%%5
......................... rpdc04 failed test systemlog
Test omitted by user request: VerifyReplicas
Starting test: VerifyReferences
The system object reference (serverReference)

CN=rpdc04,OU=Domain Controllers,DC=mycompany,DC=com and backlink on


CN=rpdc04,CN=Servers,CN=RHO,CN=Sites,CN=Configuration,DC=myc ompany,DC=com

are correct.
The system object reference (frsComputerReferenceBL)

CN=rpdc04,CN=Domain System Volume (SYSVOL share),CN=File
Replication Service,CN=System,DC=mycompany,DC=com

and backlink on CN=rpdc04,OU=Domain Controllers,DC=mycompany,DC=com

are correct.
The system object reference (serverReferenceBL)

CN=rpdc04,CN=Domain System Volume (SYSVOL share),CN=File
Replication Service,CN=System,DC=mycompany,DC=com

and backlink on

CN=NTDS
Settings,CN=rpdc04,CN=Servers,CN=RHO,CN=Sites,CN=Configurati on,DC=mycompany,DC=com

are correct.
......................... rpdc04 passed test VerifyReferences
Test omitted by user request: VerifyEnterpriseReferences
Test omitted by user request: CheckSecurityError

Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom

Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom

Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom

Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom

Running partition tests on : mycompany
Starting test: CrossRefValidation
......................... mycompany passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... mycompany passed test CheckSDRefDom

Running enterprise tests on : mycompany.com
Starting test: Intersite
Skipping site RHO, this site is outside the scope provided by the

command line arguments provided.
Skipping site DAM, this site is outside the scope provided by the

command line arguments provided.
Skipping site JED, this site is outside the scope provided by the

command line arguments provided.
......................... mycompany.com passed test Intersite
Starting test: FsmoCheck
GC Name: \\rpdc04.mycompany.com
Locator Flags: 0xe00001fc
PDC Name: \\rpdc03.mycompany.com
Locator Flags: 0xe00003fd
Time Server Name: \\rpdc04.mycompany.com
Locator Flags: 0xe00001fc
Preferred Time Server Name: \\rpdc03.mycompany.com
Locator Flags: 0xe00003fd
KDC Name: \\rpdc04.mycompany.com
Locator Flags: 0xe00001fc
......................... mycompany.com passed test FsmoCheck
Test omitted by user request: DNS
Test omitted by user request: DNS
---------------------

Regards
Lal
--
----Server Management Team----


"Meinolf Weber [MVP-DS]" wrote:

> Hello Laljeev,
>
> The permissions at the moment sounds ok for me. Please run dcdiag /v on the
> DCs and post the output here. Are you working on the DCs directly or from
> a workstation with adminpak installed?
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
> > Hi
> >
> > We are unable to edit some of the GPOs (Default Domain Policy, etc)
> > and getting Access Denied error. We checked the permission of SYSVOL
> > folder and found Administrators (Domain), System and Authenticated
> > Users have full control share permissions. Full access has been
> > provided to Administrators, creator owner & System and read & execute
> > permission has been provided to Authenticated users in Security tab.
> >
> > Can anyone help me to resolve the issue and also any doc is available
> > to check the correct permissions with SYSVOL.
> >
> > Thanks in advance for help
> >
> > Regards
> > Lal
>
>
> .
>
Re: Access Denied error while edit some of the GPOs in Windows 200 [message #411769 is a reply to message #411711] Sun, 14 March 2010 12:44 Go to previous messageGo to next message
meiweb  is currently offline meiweb  Germany
Messages: 2225
Registered: September 2009
Senior Member
Hello Laljeev,

Hopefully the second DC is back soon for you. Did you check the event viewer
for errors on the DC where ryou logged in to when the access denied pop up?

As you wrote you can't edit some of the GPOs, so you are able to edit some
other? Did you check that the content of sysvol and netlogon is the same
on all DCs in the domain and replication is working on each DC with repadmin
/showrepl?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hi
>
> Below is the output from dcdiag/v, I'm accessing the server through
> terminal service (mstsc -admin). One of our DCs is down from this
> morning (jpdc02)
>
> ____________________
>
> Domain Controller Diagnosis
>
> Performing initial setup:
> * Verifying that the local machine rpdc04, is a DC.
> * Connecting to directory service on server rpdc04.
> * Collecting site info.
> * Identifying all servers.
> * Identifying all NC cross-refs.
> * Found 4 DC(s). Testing 1 of them.
> Done gathering initial info.
> Doing initial required tests
>
> Testing server: RHO\rpdc04
> Starting test: Connectivity
> * Active Directory LDAP Services Check
> * Active Directory RPC Services Check
> ......................... rpdc04 passed test Connectivity
> Doing primary tests
>
> Testing server: RHO\rpdc04
> Starting test: Replications
> * Replications Check
> [Replications Check,rpdc04] No replication recently
> attempted:
> From dbdc01 to rpdc04
> Naming Context: DC=ForestDnsZones,DC=mycompany,DC=com
> The last attempt occurred at 2010-03-14 15:47:00 (about 3
> hours
> ago).
> [Replications Check,rpdc04] A recent replication attempt
> failed:
> From jpdc02 to rpdc04
> Naming Context: DC=ForestDnsZones,DC=mycompany,DC=com
> The replication generated an error (1256):
> The remote system is not available. For information about
> network troubleshooting, see Windows Help.
> The failure occurred at 2010-03-14 18:54:08.
> The last success occurred at 2010-03-13 12:17:32.
> 122 failures have occurred since the last success.
> [Replications Check,rpdc04] A recent replication attempt
> failed:
> From jpdc02 to rpdc04
> Naming Context: DC=DomainDnsZones,DC=mycompany,DC=com
> The replication generated an error (1256):
> The remote system is not available. For information about
> network troubleshooting, see Windows Help.
> The failure occurred at 2010-03-14 18:54:08.
> The last success occurred at 2010-03-13 12:17:32.
> 122 failures have occurred since the last success.
> [Replications Check,rpdc04] A recent replication attempt
> failed:
> From jpdc02 to rpdc04
> Naming Context:
> CN=Schema,CN=Configuration,DC=mycompany,DC=com
> The replication generated an error (1727):
> The remote procedure call failed and did not execute.
> The failure occurred at 2010-03-14 18:46:47.
> The last success occurred at 2010-03-13 12:17:31.
> 121 failures have occurred since the last success.
> [Replications Check,rpdc04] A recent replication attempt
> failed:
> From jpdc02 to rpdc04
> Naming Context: CN=Configuration,DC=mycompany,DC=com
> The replication generated an error (1727):
> The remote procedure call failed and did not execute.
> The failure occurred at 2010-03-14 19:01:22.
> The last success occurred at 2010-03-13 12:17:24.
> 122 failures have occurred since the last success.
> [Replications Check,rpdc04] A recent replication attempt
> failed:
> From jpdc02 to rpdc04
> Naming Context: DC=mycompany,DC=com
> The replication generated an error (1727):
> The remote procedure call failed and did not execute.
> The failure occurred at 2010-03-14 18:54:08.
> The last success occurred at 2010-03-13 12:17:23.
> 11 failures have occurred since the last success.
> rpdc04: There are 21 replication work items in the queue.
> REPLICATION LATENCY WARNING
> rpdc04: A long-running replication operation is in progress
> The job has been executing for 5 minutes and 2 seconds.
> Replication of new changes along this path will be
> delayed.
> Error: Higher priority replications are being blocked
> Enqueued 2010-03-14 18:47:22 at priority 170
> Op: SYNC FROM SOURCE
> NC CN=Schema,CN=Configuration,DC=mycompany,DC=com
> DSADN CN=NTDS
> Settings,CN=jpdc02,CN=Servers,CN=JED,CN=Sites,CN=Configurati on,DC=myco
> mpany,DC=com
> DSA transport addr
> f9f5b45f-b5e6-4302-9e97-069c79fd1585._msdcs.mycompany.com
> * Replication Latency Check
> REPLICATION-RECEIVED LATENCY WARNING
> rpdc04: Current time is 2010-03-14 19:06:31.
> DC=ForestDnsZones,DC=mycompany,DC=com
> Last replication recieved from jpdc02 at 2010-03-13
> 12:18:23.
> Latency information for 12 entries in the vector were
> ignored.
> 12 were retired Invocations. 0 were either:
> read-only
> replicas and are not verifiably latent, or dc's no longer replicating
> this
> nc. 0 had no latency information (Win2K DC).
> DC=DomainDnsZones,DC=mycompany,DC=com
> Last replication recieved from jpdc02 at 2010-03-13
> 12:18:22.
> Latency information for 12 entries in the vector were
> ignored.
> 12 were retired Invocations. 0 were either:
> read-only
> replicas and are not verifiably latent, or dc's no longer replicating
> this
> nc. 0 had no latency information (Win2K DC).
> CN=Schema,CN=Configuration,DC=mycompany,DC=com
> Last replication recieved from jpdc02 at 2010-03-13
> 12:18:22.
> Latency information for 19 entries in the vector were
> ignored.
> 19 were retired Invocations. 0 were either:
> read-only
> replicas and are not verifiably latent, or dc's no longer replicating
> this
> nc. 0 had no latency information (Win2K DC).
> CN=Configuration,DC=mycompany,DC=com
> Last replication recieved from jpdc02 at 2010-03-13
> 12:18:21.
> Latency information for 19 entries in the vector were
> ignored.
> 19 were retired Invocations. 0 were either:
> read-only
> replicas and are not verifiably latent, or dc's no longer replicating
> this
> nc. 0 had no latency information (Win2K DC).
> DC=mycompany,DC=com
> Last replication recieved from jpdc02 at 2010-03-13
> 12:18:22.
> Latency information for 18 entries in the vector were
> ignored.
> 18 were retired Invocations. 0 were either:
> read-only
> replicas and are not verifiably latent, or dc's no longer replicating
> this
> nc. 0 had no latency information (Win2K DC).
> ......................... rpdc04 passed test Replications
> Test omitted by user request: Topology
> Test omitted by user request: CutoffServers
> Starting test: NCSecDesc
> * Security Permissions check for all NC's on DC rpdc04.
> * Security Permissions Check for
> DC=ForestDnsZones,DC=mycompany,DC=com
> (NDNC,Version 2)
> * Security Permissions Check for
> DC=DomainDnsZones,DC=mycompany,DC=com
> (NDNC,Version 2)
> * Security Permissions Check for
> CN=Schema,CN=Configuration,DC=mycompany,DC=com
> (Schema,Version 2)
> * Security Permissions Check for
> CN=Configuration,DC=mycompany,DC=com
> (Configuration,Version 2)
> * Security Permissions Check for
> DC=mycompany,DC=com
> (Domain,Version 2)
> ......................... rpdc04 passed test NCSecDesc
> Starting test: NetLogons
> * Network Logons Privileges Check
> Verified share \\rpdc04\netlogon
> Verified share \\rpdc04\sysvol
> ......................... rpdc04 passed test NetLogons
> Starting test: Advertising
> The DC rpdc04 is advertising itself as a DC and having a DS.
> The DC rpdc04 is advertising as an LDAP server
> The DC rpdc04 is advertising as having a writeable directory
> The DC rpdc04 is advertising as a Key Distribution Center
> The DC rpdc04 is advertising as a time server
> The DS rpdc04 is advertising as a GC.
> ......................... rpdc04 passed test Advertising
> Starting test: KnowsOfRoleHolders
> Role Schema Owner = CN=NTDS
> Settings,CN=rpdc03,CN=Servers,CN=RHO,CN=Sites,CN=Configurati on,DC=myco
> mpany,DC=com
> Role Domain Owner = CN=NTDS
> Settings,CN=rpdc03,CN=Servers,CN=RHO,CN=Sites,CN=Configurati on,DC=myco
> mpany,DC=com
> Role PDC Owner = CN=NTDS
> Settings,CN=rpdc03,CN=Servers,CN=RHO,CN=Sites,CN=Configurati on,DC=myco
> mpany,DC=com
> Role Rid Owner = CN=NTDS
> Settings,CN=rpdc03,CN=Servers,CN=RHO,CN=Sites,CN=Configurati on,DC=myco
> mpany,DC=com
> Role Infrastructure Update Owner = CN=NTDS
> Settings,CN=rpdc03,CN=Servers,CN=RHO,CN=Sites,CN=Configurati on,DC=myco
> mpany,DC=com
> ......................... rpdc04 passed test
> KnowsOfRoleHolders
> Starting test: RidManager
> * Available RID Pool for the Domain is 22603 to 1073741823
> * rpdc03.mycompany.com is the RID Master
> * DsBind with RID Master was successful
> * rIDAllocationPool is 20103 to 20602
> * rIDPreviousAllocationPool is 20103 to 20602
> * rIDNextRID: 20266
> ......................... rpdc04 passed test RidManager
> Starting test: MachineAccount
> Checking machine account for DC rpdc04 on DC rpdc04.
> * SPN found :LDAP/rpdc04.mycompany.com/mycompany.com
> * SPN found :LDAP/rpdc04.mycompany.com
> * SPN found :LDAP/rpdc04
> * SPN found :LDAP/rpdc04.mycompany.com/mycompany
> * SPN found
> :LDAP/25671f81-8b4c-404c-991f-e5ae1eb35d62._msdcs.mycompany. com
> * SPN found
> :E3514235-4B06-11D1-AB04-00C04FC2DCD2/25671f81-8b4c-404c-991 f-e5ae1eb3
> 5d62/mycompany.com
> * SPN found :HOST/rpdc04.mycompany.com/mycompany.com
> * SPN found :HOST/rpdc04.mycompany.com
> * SPN found :HOST/rpdc04
> * SPN found :HOST/rpdc04.mycompany.com/mycompany
> * SPN found :GC/rpdc04.mycompany.com/mycompany.com
> ......................... rpdc04 passed test MachineAccount
> Starting test: Services
> * Checking Service: Dnscache
> * Checking Service: NtFrs
> * Checking Service: IsmServ
> * Checking Service: kdc
> * Checking Service: SamSs
> * Checking Service: LanmanServer
> * Checking Service: LanmanWorkstation
> * Checking Service: RpcSs
> * Checking Service: w32time
> * Checking Service: NETLOGON
> ......................... rpdc04 passed test Services
> Test omitted by user request: OutboundSecureChannels
> Starting test: ObjectsReplicated
> rpdc04 is in domain DC=mycompany,DC=com
> Checking for CN=rpdc04,OU=Domain
> Controllers,DC=mycompany,DC=com in
> domain DC=mycompany,DC=com on 1 servers
> Object is up-to-date on all servers.
> Checking for CN=NTDS
> Settings,CN=rpdc04,CN=Servers,CN=RHO,CN=Sites,CN=Configurati on,DC=myco
> mpany,DC=com in domain CN=Configuration,DC=mycompany,DC=com on 1
> servers
> Object is up-to-date on all servers.
> ......................... rpdc04 passed test
> ObjectsReplicated
> Starting test: frssysvol
> * The File Replication Service SYSVOL ready test
> File Replication Service's SYSVOL is ready
> ......................... rpdc04 passed test frssysvol
> Starting test: frsevent
> * The File Replication Service Event log test
> There are warning or error events within the last 24 hours
> after the
> SYSVOL has been shared. Failing SYSVOL replication problems
> may cause
>
> Group Policy problems.
> An Warning Event occured. EventID: 0x800034C4
> Time Generated: 03/14/2010 14:22:14
> (Event String could not be retrieved)
> ......................... rpdc04 failed test frsevent
> Starting test: kccevent
> * The KCC Event log test
> An Warning Event occured. EventID: 0x8000061E
> Time Generated: 03/14/2010 18:52:28
> Event String: All domain controllers in the following site
> that
> can replicate the directory partition over this
>
> transport are currently unavailable.
>
> Site:
>
> CN=JED,CN=Sites,CN=Configuration,DC=mycompany,DC=com
>
> Directory partition:
>
> DC=mycompany,DC=com
>
> Transport:
>
> CN=IP,CN=Inter-Site
> Transports,CN=Sites,CN=Configuration,DC=mycompany,DC=com
>
> An Error Event occured. EventID: 0xC000051F
> Time Generated: 03/14/2010 18:52:28
> Event String: The Knowledge Consistency Checker (KCC) has
> detected problems with the following directory
>
> partition.
>
> Directory partition:
>
> DC=mycompany,DC=com
>
> There is insufficient site connectivity
>
> information in Active Directory Sites and
>
> Services for the KCC to create a spanning tree
>
> replication topology. Or, one or more domain
>
> controllers with this directory partition are
>
> unable to replicate the directory partition
>
> information. This is probably due to inaccessible
>
> domain controllers.
>
> User Action
>
> Use Active Directory Sites and Services to
>
> perform one of the following actions:
>
> - Publish sufficient site connectivity
>
> information so that the KCC can determine a route
>
> by which this directory partition can reach this
>
> site. This is the preferred option.
>
> - Add a Connection object to a domain controller
>
> that contains the directory partition in this
>
> site from a domain controller that contains the
>
> same directory partition in another site.
>
> If neither of the Active Directory Sites and
>
> Services tasks correct this condition, see
>
> previous events logged by the KCC that identify
>
> the inaccessible domain controllers.
> An Warning Event occured. EventID: 0x80000749
> Time Generated: 03/14/2010 18:52:28
> Event String: The Knowledge Consistency Checker (KCC) was
> unable to form a complete spanning tree network
>
> topology. As a result, the following list of
>
> sites cannot be reached from the local site.
>
> Sites:
>
> CN=JED,CN=Sites,CN=Configuration,DC=mycompany,DC=com
>
> An Warning Event occured. EventID: 0x8000061E
> Time Generated: 03/14/2010 18:52:28
> Event String: All domain controllers in the following site
> that
> can replicate the directory partition over this
>
> transport are currently unavailable.
>
> Site:
>
> CN=JED,CN=Sites,CN=Configuration,DC=mycompany,DC=com
>
> Directory partition:
>
> DC=ForestDnsZones,DC=mycompany,DC=com
>
> Transport:
>
> CN=IP,CN=Inter-Site
> Transports,CN=Sites,CN=Configuration,DC=mycompany,DC=com
>
> An Error Event occured. EventID: 0xC000051F
> Time Generated: 03/14/2010 18:52:28
> Event String: The Knowledge Consistency Checker (KCC) has
> detected problems with the following directory
>
> partition.
>
> Directory partition:
>
> DC=ForestDnsZones,DC=mycompany,DC=com
>
> There is insufficient site connectivity
>
> information in Active Directory Sites and
>
> Services for the KCC to create a spanning tree
>
> replication topology. Or, one or more domain
>
> controllers with this directory partition are
>
> unable to replicate the directory partition
>
> information. This is probably due to inaccessible
>
> domain controllers.
>
> User Action
>
> Use Active Directory Sites and Services to
>
> perform one of the following actions:
>
> - Publish sufficient site connectivity
>
> information so that the KCC can determine a route
>
> by which this directory partition can reach this
>
> site. This is the preferred option.
>
> - Add a Connection object to a domain controller
>
> that contains the directory partition in this
>
> site from a domain controller that contains the
>
> same directory partition in another site.
>
> If neither of the Active Directory Sites and
>
> Services tasks correct this condition, see
>
> previous events logged by the KCC that identify
>
> the inaccessible domain controllers.
> An Warning Event occured. EventID: 0x80000749
> Time Generated: 03/14/2010 18:52:28
> Event String: The Knowledge Consistency Checker (KCC) was
> unable to form a complete spanning tree network
>
> topology. As a result, the following list of
>
> sites cannot be reached from the local site.
>
> Sites:
>
> CN=JED,CN=Sites,CN=Configuration,DC=mycompany,DC=com
>
> An Warning Event occured. EventID: 0x8000061E
> Time Generated: 03/14/2010 18:52:28
> Event String: All domain controllers in the following site
> that
> can replicate the directory partition over this
>
> transport are currently unavailable.
>
> Site:
>
> CN=JED,CN=Sites,CN=Configuration,DC=mycompany,DC=com
>
> Directory partition:
>
> DC=DomainDnsZones,DC=mycompany,DC=com
>
> Transport:
>
> CN=IP,CN=Inter-Site
> Transports,CN=Sites,CN=Configuration,DC=mycompany,DC=com
>
> An Error Event occured. EventID: 0xC000051F
> Time Generated: 03/14/2010 18:52:28
> Event String: The Knowledge Consistency Checker (KCC) has
> detected problems with the following directory
>
> partition.
>
> Directory partition:
>
> DC=DomainDnsZones,DC=mycompany,DC=com
>
> There is insufficient site connectivity
>
> information in Active Directory Sites and
>
> Services for the KCC to create a spanning tree
>
> replication topology. Or, one or more domain
>
> controllers with this directory partition are
>
> unable to replicate the directory partition
>
> information. This is probably due to inaccessible
>
> domain controllers.
>
> User Action
>
> Use Active Directory Sites and Services to
>
> perform one of the following actions:
>
> - Publish sufficient site connectivity
>
> information so that the KCC can determine a route
>
> by which this directory partition can reach this
>
> site. This is the preferred option.
>
> - Add a Connection object to a domain controller
>
> that contains the directory partition in this
>
> site from a domain controller that contains the
>
> same directory partition in another site.
>
> If neither of the Active Directory Sites and
>
> Services tasks correct this condition, see
>
> previous events logged by the KCC that identify
>
> the inaccessible domain controllers.
> An Warning Event occured. EventID: 0x80000749
> Time Generated: 03/14/2010 18:52:28
> Event String: The Knowledge Consistency Checker (KCC) was
> unable to form a complete spanning tree network
>
> topology. As a result, the following list of
>
> sites cannot be reached from the local site.
>
> Sites:
>
> CN=JED,CN=Sites,CN=Configuration,DC=mycompany,DC=com
>
> An Warning Event occured. EventID: 0x8000061E
> Time Generated: 03/14/2010 18:52:28
> Event String: All domain controllers in the following site
> that
> can replicate the directory partition over this
>
> transport are currently unavailable.
>
> Site:
>
> CN=JED,CN=Sites,CN=Configuration,DC=mycompany,DC=com
>
> Directory partition:
>
> CN=Configuration,DC=mycompany,DC=com
>
> Transport:
>
> CN=IP,CN=Inter-Site
> Transports,CN=Sites,CN=Configuration,DC=mycompany,DC=com
>
> An Error Event occured. EventID: 0xC000051F
> Time Generated: 03/14/2010 18:52:28
> Event String: The Knowledge Consistency Checker (KCC) has
> detected problems with the following directory
>
> partition.
>
> Directory partition:
>
> CN=Configuration,DC=mycompany,DC=com
>
> There is insufficient site connectivity
>
> information in Active Directory Sites and
>
> Services for the KCC to create a spanning tree
>
> replication topology. Or, one or more domain
>
> controllers with this directory partition are
>
> unable to replicate the directory partition
>
> information. This is probably due to inaccessible
>
> domain controllers.
>
> User Action
>
> Use Active Directory Sites and Services to
>
> perform one of the following actions:
>
> - Publish sufficient site connectivity
>
> information so that the KCC can determine a route
>
> by which this directory partition can reach this
>
> site. This is the preferred option.
>
> - Add a Connection object to a domain controller
>
> that contains the directory partition in this
>
> site from a domain controller that contains the
>
> same directory partition in another site.
>
> If neither of the Active Directory Sites and
>
> Services tasks correct this condition, see
>
> previous events logged by the KCC that identify
>
> the inaccessible domain controllers.
> An Warning Event occured. EventID: 0x80000749
> Time Generated: 03/14/2010 18:52:28
> Event String: The Knowledge Consistency Checker (KCC) was
> unable to form a complete spanning tree network
>
> topology. As a result, the following list of
>
> sites cannot be reached from the local site.
>
> Sites:
>
> CN=JED,CN=Sites,CN=Configuration,DC=mycompany,DC=com
>
> ......................... rpdc04 failed test kccevent
> Starting test: systemlog
> * The System Event log test
> An Error Event occured. EventID: 0x0000165B
> Time Generated: 03/14/2010 18:28:42
> Event String: The session setup from computer 'RIYDTP110'
> failed because the security database does not
>
> contain a trust account 'RIYDTP110$' referenced
>
> by the specified computer.
>
> USER ACTION
>
> If this is the first occurrence of this event for
>
> the specified computer and account, this may be a
>
> transient issue that doesn't require any action
>
> at this time. Otherwise, the following steps may
>
> be taken to resolve this problem:
>
> If 'RIYDTP110$' is a legitimate machine account
>
> for the computer 'RIYDTP110', then 'RIYDTP110'
>
> should be rejoined to the domain.
>
> If 'RIYDTP110$' is a legitimate interdomain trust
>
> account, then the trust should be recreated.
>
> Otherwise, assuming that 'RIYDTP110$' is not a
>
> legitimate account, the following action should
>
> be taken on 'RIYDTP110':
>
> If 'RIYDTP110' is a Domain Controller, then the
>
> trust associated with 'RIYDTP110$' should be
>
> deleted.
>
> If 'RIYDTP110' is not a Domain Controller, it
>
> should be disjoined from the domain.
> An Error Event occured. EventID: 0x000016AD
> Time Generated: 03/14/2010 18:33:21
> Event String: The session setup from the computer
> RIYDTP110
> failed to authenticate. The following error
>
> occurred:
>
> %%5
> ......................... rpdc04 failed test systemlog
> Test omitted by user request: VerifyReplicas
> Starting test: VerifyReferences
> The system object reference (serverReference)
> CN=rpdc04,OU=Domain Controllers,DC=mycompany,DC=com and
> backlink on
>
> CN=rpdc04,CN=Servers,CN=RHO,CN=Sites,CN=Configuration,DC=myc ompany,DC=
> com
>
> are correct.
> The system object reference (frsComputerReferenceBL)
> CN=rpdc04,CN=Domain System Volume (SYSVOL share),CN=File
> Replication Service,CN=System,DC=mycompany,DC=com
>
> and backlink on CN=rpdc04,OU=Domain
> Controllers,DC=mycompany,DC=com
>
> are correct.
> The system object reference (serverReferenceBL)
> CN=rpdc04,CN=Domain System Volume (SYSVOL share),CN=File
> Replication Service,CN=System,DC=mycompany,DC=com
>
> and backlink on
>
> CN=NTDS
> Settings,CN=rpdc04,CN=Servers,CN=RHO,CN=Sites,CN=Configurati on,DC=myco
> mpany,DC=com
>
> are correct.
> ......................... rpdc04 passed test VerifyReferences
> Test omitted by user request: VerifyEnterpriseReferences
> Test omitted by user request: CheckSecurityError
> Running partition tests on : ForestDnsZones
> Starting test: CrossRefValidation
> ......................... ForestDnsZones passed test
> CrossRefValidation
> Starting test: CheckSDRefDom
> ......................... ForestDnsZones passed test
> CheckSDRefDom
> Running partition tests on : DomainDnsZones
> Starting test: CrossRefValidation
> ......................... DomainDnsZones passed test
> CrossRefValidation
> Starting test: CheckSDRefDom
> ......................... DomainDnsZones passed test
> CheckSDRefDom
> Running partition tests on : Schema
> Starting test: CrossRefValidation
> ......................... Schema passed test
> CrossRefValidation
> Starting test: CheckSDRefDom
> ......................... Schema passed test CheckSDRefDom
> Running partition tests on : Configuration
> Starting test: CrossRefValidation
> ......................... Configuration passed test
> CrossRefValidation
> Starting test: CheckSDRefDom
> ......................... Configuration passed test
> CheckSDRefDom
> Running partition tests on : mycompany
> Starting test: CrossRefValidation
> ......................... mycompany passed test
> CrossRefValidation
> Starting test: CheckSDRefDom
> ......................... mycompany passed test CheckSDRefDom
> Running enterprise tests on : mycompany.com
> Starting test: Intersite
> Skipping site RHO, this site is outside the scope provided by
> the
> command line arguments provided.
> Skipping site DAM, this site is outside the scope provided by
> the
> command line arguments provided.
> Skipping site JED, this site is outside the scope provided by
> the
> command line arguments provided.
> ......................... mycompany.com passed test Intersite
> Starting test: FsmoCheck
> GC Name: \\rpdc04.mycompany.com
> Locator Flags: 0xe00001fc
> PDC Name: \\rpdc03.mycompany.com
> Locator Flags: 0xe00003fd
> Time Server Name: \\rpdc04.mycompany.com
> Locator Flags: 0xe00001fc
> Preferred Time Server Name: \\rpdc03.mycompany.com
> Locator Flags: 0xe00003fd
> KDC Name: \\rpdc04.mycompany.com
> Locator Flags: 0xe00001fc
> ......................... mycompany.com passed test FsmoCheck
> Test omitted by user request: DNS
> Test omitted by user request: DNS
> ---------------------
> Regards
> Lal
> "Meinolf Weber [MVP-DS]" wrote:
>
>> Hello Laljeev,
>>
>> The permissions at the moment sounds ok for me. Please run dcdiag /v
>> on the DCs and post the output here. Are you working on the DCs
>> directly or from a workstation with adminpak installed?
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers
>> no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> Hi
>>>
>>> We are unable to edit some of the GPOs (Default Domain Policy, etc)
>>> and getting Access Denied error. We checked the permission of SYSVOL
>>> folder and found Administrators (Domain), System and Authenticated
>>> Users have full control share permissions. Full access has been
>>> provided to Administrators, creator owner & System and read &
>>> execute permission has been provided to Authenticated users in
>>> Security tab.
>>>
>>> Can anyone help me to resolve the issue and also any doc is
>>> available to check the correct permissions with SYSVOL.
>>>
>>> Thanks in advance for help
>>>
>>> Regards
>>> Lal
>> .
>>
Re: Access Denied error while edit some of the GPOs in Windows 200 [message #412054 is a reply to message #411769] Mon, 15 March 2010 00:15 Go to previous messageGo to next message
Laljeev M  is currently offline Laljeev M
Messages: 33
Registered: August 2009
Member
Hi

The contents of both SYSVOL and Netlogon are same on all Dcs and Repadmin
shows the replication as successfull. Shall we remove those GPOs which are
not allowing to edit and create new GPOs with same config

Regards
Lal
--
----Server Management Team----


"Meinolf Weber [MVP-DS]" wrote:

> Hello Laljeev,
>
> Hopefully the second DC is back soon for you. Did you check the event viewer
> for errors on the DC where ryou logged in to when the access denied pop up?
>
> As you wrote you can't edit some of the GPOs, so you are able to edit some
> other? Did you check that the content of sysvol and netlogon is the same
> on all DCs in the domain and replication is working on each DC with repadmin
> /showrepl?
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
> > Hi
> >
> > Below is the output from dcdiag/v, I'm accessing the server through
> > terminal service (mstsc -admin). One of our DCs is down from this
> > morning (jpdc02)
> >
> > ____________________
> >
> > Domain Controller Diagnosis
> >
> > Performing initial setup:
> > * Verifying that the local machine rpdc04, is a DC.
> > * Connecting to directory service on server rpdc04.
> > * Collecting site info.
> > * Identifying all servers.
> > * Identifying all NC cross-refs.
> > * Found 4 DC(s). Testing 1 of them.
> > Done gathering initial info.
> > Doing initial required tests
> >
> > Testing server: RHO\rpdc04
> > Starting test: Connectivity
> > * Active Directory LDAP Services Check
> > * Active Directory RPC Services Check
> > ......................... rpdc04 passed test Connectivity
> > Doing primary tests
> >
> > Testing server: RHO\rpdc04
> > Starting test: Replications
> > * Replications Check
> > [Replications Check,rpdc04] No replication recently
> > attempted:
> > From dbdc01 to rpdc04
> > Naming Context: DC=ForestDnsZones,DC=mycompany,DC=com
> > The last attempt occurred at 2010-03-14 15:47:00 (about 3
> > hours
> > ago).
> > [Replications Check,rpdc04] A recent replication attempt
> > failed:
> > From jpdc02 to rpdc04
> > Naming Context: DC=ForestDnsZones,DC=mycompany,DC=com
> > The replication generated an error (1256):
> > The remote system is not available. For information about
> > network troubleshooting, see Windows Help.
> > The failure occurred at 2010-03-14 18:54:08.
> > The last success occurred at 2010-03-13 12:17:32.
> > 122 failures have occurred since the last success.
> > [Replications Check,rpdc04] A recent replication attempt
> > failed:
> > From jpdc02 to rpdc04
> > Naming Context: DC=DomainDnsZones,DC=mycompany,DC=com
> > The replication generated an error (1256):
> > The remote system is not available. For information about
> > network troubleshooting, see Windows Help.
> > The failure occurred at 2010-03-14 18:54:08.
> > The last success occurred at 2010-03-13 12:17:32.
> > 122 failures have occurred since the last success.
> > [Replications Check,rpdc04] A recent replication attempt
> > failed:
> > From jpdc02 to rpdc04
> > Naming Context:
> > CN=Schema,CN=Configuration,DC=mycompany,DC=com
> > The replication generated an error (1727):
> > The remote procedure call failed and did not execute.
> > The failure occurred at 2010-03-14 18:46:47.
> > The last success occurred at 2010-03-13 12:17:31.
> > 121 failures have occurred since the last success.
> > [Replications Check,rpdc04] A recent replication attempt
> > failed:
> > From jpdc02 to rpdc04
> > Naming Context: CN=Configuration,DC=mycompany,DC=com
> > The replication generated an error (1727):
> > The remote procedure call failed and did not execute.
> > The failure occurred at 2010-03-14 19:01:22.
> > The last success occurred at 2010-03-13 12:17:24.
> > 122 failures have occurred since the last success.
> > [Replications Check,rpdc04] A recent replication attempt
> > failed:
> > From jpdc02 to rpdc04
> > Naming Context: DC=mycompany,DC=com
> > The replication generated an error (1727):
> > The remote procedure call failed and did not execute.
> > The failure occurred at 2010-03-14 18:54:08.
> > The last success occurred at 2010-03-13 12:17:23.
> > 11 failures have occurred since the last success.
> > rpdc04: There are 21 replication work items in the queue.
> > REPLICATION LATENCY WARNING
> > rpdc04: A long-running replication operation is in progress
> > The job has been executing for 5 minutes and 2 seconds.
> > Replication of new changes along this path will be
> > delayed.
> > Error: Higher priority replications are being blocked
> > Enqueued 2010-03-14 18:47:22 at priority 170
> > Op: SYNC FROM SOURCE
> > NC CN=Schema,CN=Configuration,DC=mycompany,DC=com
> > DSADN CN=NTDS
> > Settings,CN=jpdc02,CN=Servers,CN=JED,CN=Sites,CN=Configurati on,DC=myco
> > mpany,DC=com
> > DSA transport addr
> > f9f5b45f-b5e6-4302-9e97-069c79fd1585._msdcs.mycompany.com
> > * Replication Latency Check
> > REPLICATION-RECEIVED LATENCY WARNING
> > rpdc04: Current time is 2010-03-14 19:06:31.
> > DC=ForestDnsZones,DC=mycompany,DC=com
> > Last replication recieved from jpdc02 at 2010-03-13
> > 12:18:23.
> > Latency information for 12 entries in the vector were
> > ignored.
> > 12 were retired Invocations. 0 were either:
> > read-only
> > replicas and are not verifiably latent, or dc's no longer replicating
> > this
> > nc. 0 had no latency information (Win2K DC).
> > DC=DomainDnsZones,DC=mycompany,DC=com
> > Last replication recieved from jpdc02 at 2010-03-13
> > 12:18:22.
> > Latency information for 12 entries in the vector were
> > ignored.
> > 12 were retired Invocations. 0 were either:
> > read-only
> > replicas and are not verifiably latent, or dc's no longer replicating
> > this
> > nc. 0 had no latency information (Win2K DC).
> > CN=Schema,CN=Configuration,DC=mycompany,DC=com
> > Last replication recieved from jpdc02 at 2010-03-13
> > 12:18:22.
> > Latency information for 19 entries in the vector were
> > ignored.
> > 19 were retired Invocations. 0 were either:
> > read-only
> > replicas and are not verifiably latent, or dc's no longer replicating
> > this
> > nc. 0 had no latency information (Win2K DC).
> > CN=Configuration,DC=mycompany,DC=com
> > Last replication recieved from jpdc02 at 2010-03-13
> > 12:18:21.
> > Latency information for 19 entries in the vector were
> > ignored.
> > 19 were retired Invocations. 0 were either:
> > read-only
> > replicas and are not verifiably latent, or dc's no longer replicating
> > this
> > nc. 0 had no latency information (Win2K DC).
> > DC=mycompany,DC=com
> > Last replication recieved from jpdc02 at 2010-03-13
> > 12:18:22.
> > Latency information for 18 entries in the vector were
> > ignored.
> > 18 were retired Invocations. 0 were either:
> > read-only
> > replicas and are not verifiably latent, or dc's no longer replicating
> > this
> > nc. 0 had no latency information (Win2K DC).
> > ......................... rpdc04 passed test Replications
> > Test omitted by user request: Topology
> > Test omitted by user request: CutoffServers
> > Starting test: NCSecDesc
> > * Security Permissions check for all NC's on DC rpdc04.
> > * Security Permissions Check for
> > DC=ForestDnsZones,DC=mycompany,DC=com
> > (NDNC,Version 2)
> > * Security Permissions Check for
> > DC=DomainDnsZones,DC=mycompany,DC=com
> > (NDNC,Version 2)
> > * Security Permissions Check for
> > CN=Schema,CN=Configuration,DC=mycompany,DC=com
> > (Schema,Version 2)
> > * Security Permissions Check for
> > CN=Configuration,DC=mycompany,DC=com
> > (Configuration,Version 2)
> > * Security Permissions Check for
> > DC=mycompany,DC=com
> > (Domain,Version 2)
> > ......................... rpdc04 passed test NCSecDesc
> > Starting test: NetLogons
> > * Network Logons Privileges Check
> > Verified share \\rpdc04\netlogon
> > Verified share \\rpdc04\sysvol
> > ......................... rpdc04 passed test NetLogons
> > Starting test: Advertising
> > The DC rpdc04 is advertising itself as a DC and having a DS.
> > The DC rpdc04 is advertising as an LDAP server
> > The DC rpdc04 is advertising as having a writeable directory
> > The DC rpdc04 is advertising as a Key Distribution Center
> > The DC rpdc04 is advertising as a time server
> > The DS rpdc04 is advertising as a GC.
> > ......................... rpdc04 passed test Advertising
> > Starting test: KnowsOfRoleHolders
> > Role Schema Owner = CN=NTDS
> > Settings,CN=rpdc03,CN=Servers,CN=RHO,CN=Sites,CN=Configurati on,DC=myco
> > mpany,DC=com
> > Role Domain Owner = CN=NTDS
> > Settings,CN=rpdc03,CN=Servers,CN=RHO,CN=Sites,CN=Configurati on,DC=myco
> > mpany,DC=com
> > Role PDC Owner = CN=NTDS
> > Settings,CN=rpdc03,CN=Servers,CN=RHO,CN=Sites,CN=Configurati on,DC=myco
> > mpany,DC=com
> > Role Rid Owner = CN=NTDS
> > Settings,CN=rpdc03,CN=Servers,CN=RHO,CN=Sites,CN=Configurati on,DC=myco
> > mpany,DC=com
> > Role Infrastructure Update Owner = CN=NTDS
> > Settings,CN=rpdc03,CN=Servers,CN=RHO,CN=Sites,CN=Configurati on,DC=myco
> > mpany,DC=com
> > ......................... rpdc04 passed test
> > KnowsOfRoleHolders
> > Starting test: RidManager
> > * Available RID Pool for the Domain is 22603 to 1073741823
> > * rpdc03.mycompany.com is the RID Master
> > * DsBind with RID Master was successful
> > * rIDAllocationPool is 20103 to 20602
> > * rIDPreviousAllocationPool is 20103 to 20602
> > * rIDNextRID: 20266
> > ......................... rpdc04 passed test RidManager
> > Starting test: MachineAccount
> > Checking machine account for DC rpdc04 on DC rpdc04.
> > * SPN found :LDAP/rpdc04.mycompany.com/mycompany.com
> > * SPN found :LDAP/rpdc04.mycompany.com
> > * SPN found :LDAP/rpdc04
> > * SPN found :LDAP/rpdc04.mycompany.com/mycompany
> > * SPN found
> > :LDAP/25671f81-8b4c-404c-991f-e5ae1eb35d62._msdcs.mycompany. com
> > * SPN found
> > :E3514235-4B06-11D1-AB04-00C04FC2DCD2/25671f81-8b4c-404c-991 f-e5ae1eb3
> > 5d62/mycompany.com
> > * SPN found :HOST/rpdc04.mycompany.com/mycompany.com
> > * SPN found :HOST/rpdc04.mycompany.com
> > * SPN found :HOST/rpdc04
> > * SPN found :HOST/rpdc04.mycompany.com/mycompany
> > * SPN found :GC/rpdc04.mycompany.com/mycompany.com
> > ......................... rpdc04 passed test MachineAccount
> > Starting test: Services
> > * Checking Service: Dnscache
> > * Checking Service: NtFrs
> > * Checking Service: IsmServ
> > * Checking Service: kdc
> > * Checking Service: SamSs
> > * Checking Service: LanmanServer
> > * Checking Service: LanmanWorkstation
> > * Checking Service: RpcSs
> > * Checking Service: w32time
> > * Checking Service: NETLOGON
> > ......................... rpdc04 passed test Services
> > Test omitted by user request: OutboundSecureChannels
> > Starting test: ObjectsReplicated
> > rpdc04 is in domain DC=mycompany,DC=com
> > Checking for CN=rpdc04,OU=Domain
> > Controllers,DC=mycompany,DC=com in
> > domain DC=mycompany,DC=com on 1 servers
> > Object is up-to-date on all servers.
> > Checking for CN=NTDS
> > Settings,CN=rpdc04,CN=Servers,CN=RHO,CN=Sites,CN=Configurati on,DC=myco
> > mpany,DC=com in domain CN=Configuration,DC=mycompany,DC=com on 1
> > servers
> > Object is up-to-date on all servers.
> > ......................... rpdc04 passed test
> > ObjectsReplicated
> > Starting test: frssysvol
> > * The File Replication Service SYSVOL ready test
> > File Replication Service's SYSVOL is ready
> > ......................... rpdc04 passed test frssysvol
> > Starting test: frsevent
> > * The File Replication Service Event log test
> > There are warning or error events within the last 24 hours
> > after the
> > SYSVOL has been shared. Failing SYSVOL replication problems
> > may cause
> >
> > Group Policy problems.
> > An Warning Event occured. EventID: 0x800034C4
> > Time Generated: 03/14/2010 14:22:14
> > (Event String could not be retrieved)
> > ......................... rpdc04 failed test frsevent
> > Starting test: kccevent
> > * The KCC Event log test
> > An Warning Event occured. EventID: 0x8000061E
> > Time Generated: 03/14/2010 18:52:28
> > Event String: All domain controllers in the following site
> > that
> > can replicate the directory partition over this
> >
> > transport are currently unavailable.
Re: Access Denied error while edit some of the GPOs in Windows 200 [message #412057 is a reply to message #412054] Mon, 15 March 2010 00:19 Go to previous messageGo to next message
meiweb  is currently offline meiweb  Germany
Messages: 2225
Registered: September 2009
Senior Member
Hello Laljeev,

I wouldn't, there must be a reason. Was there a restore from a DC some time
ago?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hi
>
> The contents of both SYSVOL and Netlogon are same on all Dcs and
> Repadmin shows the replication as successfull. Shall we remove those
> GPOs which are not allowing to edit and create new GPOs with same
> config
>
> Regards
> Lal
> "Meinolf Weber [MVP-DS]" wrote:
>
>> Hello Laljeev,
>>
>> Hopefully the second DC is back soon for you. Did you check the event
>> viewer for errors on the DC where ryou logged in to when the access
>> denied pop up?
>>
>> As you wrote you can't edit some of the GPOs, so you are able to edit
>> some other? Did you check that the content of sysvol and netlogon is
>> the same on all DCs in the domain and replication is working on each
>> DC with repadmin /showrepl?
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers
>> no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> Hi
>>>
>>> Below is the output from dcdiag/v, I'm accessing the server through
>>> terminal service (mstsc -admin). One of our DCs is down from this
>>> morning (jpdc02)
>>>
>>> ____________________
>>>
>>> Domain Controller Diagnosis
>>>
>>> Performing initial setup:
>>> * Verifying that the local machine rpdc04, is a DC.
>>> * Connecting to directory service on server rpdc04.
>>> * Collecting site info.
>>> * Identifying all servers.
>>> * Identifying all NC cross-refs.
>>> * Found 4 DC(s). Testing 1 of them.
>>> Done gathering initial info.
>>> Doing initial required tests
>>> Testing server: RHO\rpdc04
>>> Starting test: Connectivity
>>> * Active Directory LDAP Services Check
>>> * Active Directory RPC Services Check
>>> ......................... rpdc04 passed test Connectivity
>>> Doing primary tests
>>> Testing server: RHO\rpdc04
>>> Starting test: Replications
>>> * Replications Check
>>> [Replications Check,rpdc04] No replication recently
>>> attempted:
>>> From dbdc01 to rpdc04
>>> Naming Context: DC=ForestDnsZones,DC=mycompany,DC=com
>>> The last attempt occurred at 2010-03-14 15:47:00 (about 3
>>> hours
>>> ago).
>>> [Replications Check,rpdc04] A recent replication attempt
>>> failed:
>>> From jpdc02 to rpdc04
>>> Naming Context: DC=ForestDnsZones,DC=mycompany,DC=com
>>> The replication generated an error (1256):
>>> The remote system is not available. For information about
>>> network troubleshooting, see Windows Help.
>>> The failure occurred at 2010-03-14 18:54:08.
>>> The last success occurred at 2010-03-13 12:17:32.
>>> 122 failures have occurred since the last success.
>>> [Replications Check,rpdc04] A recent replication attempt
>>> failed:
>>> From jpdc02 to rpdc04
>>> Naming Context: DC=DomainDnsZones,DC=mycompany,DC=com
>>> The replication generated an error (1256):
>>> The remote system is not available. For information about
>>> network troubleshooting, see Windows Help.
>>> The failure occurred at 2010-03-14 18:54:08.
>>> The last success occurred at 2010-03-13 12:17:32.
>>> 122 failures have occurred since the last success.
>>> [Replications Check,rpdc04] A recent replication attempt
>>> failed:
>>> From jpdc02 to rpdc04
>>> Naming Context:
>>> CN=Schema,CN=Configuration,DC=mycompany,DC=com
>>> The replication generated an error (1727):
>>> The remote procedure call failed and did not execute.
>>> The failure occurred at 2010-03-14 18:46:47.
>>> The last success occurred at 2010-03-13 12:17:31.
>>> 121 failures have occurred since the last success.
>>> [Replications Check,rpdc04] A recent replication attempt
>>> failed:
>>> From jpdc02 to rpdc04
>>> Naming Context: CN=Configuration,DC=mycompany,DC=com
>>> The replication generated an error (1727):
>>> The remote procedure call failed and did not execute.
>>> The failure occurred at 2010-03-14 19:01:22.
>>> The last success occurred at 2010-03-13 12:17:24.
>>> 122 failures have occurred since the last success.
>>> [Replications Check,rpdc04] A recent replication attempt
>>> failed:
>>> From jpdc02 to rpdc04
>>> Naming Context: DC=mycompany,DC=com
>>> The replication generated an error (1727):
>>> The remote procedure call failed and did not execute.
>>> The failure occurred at 2010-03-14 18:54:08.
>>> The last success occurred at 2010-03-13 12:17:23.
>>> 11 failures have occurred since the last success.
>>> rpdc04: There are 21 replication work items in the queue.
>>> REPLICATION LATENCY WARNING
>>> rpdc04: A long-running replication operation is in progress
>>> The job has been executing for 5 minutes and 2 seconds.
>>> Replication of new changes along this path will be
>>> delayed.
>>> Error: Higher priority replications are being blocked
>>> Enqueued 2010-03-14 18:47:22 at priority 170
>>> Op: SYNC FROM SOURCE
>>> NC CN=Schema,CN=Configuration,DC=mycompany,DC=com
>>> DSADN CN=NTDS
>>> Settings,CN=jpdc02,CN=Servers,CN=JED,CN=Sites,CN=Configurati on,DC=my
>>> co
>>> mpany,DC=com
>>> DSA transport addr
>>> f9f5b45f-b5e6-4302-9e97-069c79fd1585._msdcs.mycompany.com
>>> * Replication Latency Check
>>> REPLICATION-RECEIVED LATENCY WARNING
>>> rpdc04: Current time is 2010-03-14 19:06:31.
>>> DC=ForestDnsZones,DC=mycompany,DC=com
>>> Last replication recieved from jpdc02 at 2010-03-13
>>> 12:18:23.
>>> Latency information for 12 entries in the vector were
>>> ignored.
>>> 12 were retired Invocations. 0 were either:
>>> read-only
>>> replicas and are not verifiably latent, or dc's no longer
>>> replicating
>>> this
>>> nc. 0 had no latency information (Win2K DC).
>>> DC=DomainDnsZones,DC=mycompany,DC=com
>>> Last replication recieved from jpdc02 at 2010-03-13
>>> 12:18:22.
>>> Latency information for 12 entries in the vector were
>>> ignored.
>>> 12 were retired Invocations. 0 were either:
>>> read-only
>>> replicas and are not verifiably latent, or dc's no longer
>>> replicating
>>> this
>>> nc. 0 had no latency information (Win2K DC).
>>> CN=Schema,CN=Configuration,DC=mycompany,DC=com
>>> Last replication recieved from jpdc02 at 2010-03-13
>>> 12:18:22.
>>> Latency information for 19 entries in the vector were
>>> ignored.
>>> 19 were retired Invocations. 0 were either:
>>> read-only
>>> replicas and are not verifiably latent, or dc's no longer
>>> replicating
>>> this
>>> nc. 0 had no latency information (Win2K DC).
>>> CN=Configuration,DC=mycompany,DC=com
>>> Last replication recieved from jpdc02 at 2010-03-13
>>> 12:18:21.
>>> Latency information for 19 entries in the vector were
>>> ignored.
>>> 19 were retired Invocations. 0 were either:
>>> read-only
>>> replicas and are not verifiably latent, or dc's no longer
>>> replicating
>>> this
>>> nc. 0 had no latency information (Win2K DC).
>>> DC=mycompany,DC=com
>>> Last replication recieved from jpdc02 at 2010-03-13
>>> 12:18:22.
>>> Latency information for 18 entries in the vector were
>>> ignored.
>>> 18 were retired Invocations. 0 were either:
>>> read-only
>>> replicas and are not verifiably latent, or dc's no longer
>>> replicating
>>> this
>>> nc. 0 had no latency information (Win2K DC).
>>> ......................... rpdc04 passed test Replications
>>> Test omitted by user request: Topology
>>> Test omitted by user request: CutoffServers
>>> Starting test: NCSecDesc
>>> * Security Permissions check for all NC's on DC rpdc04.
>>> * Security Permissions Check for
>>> DC=ForestDnsZones,DC=mycompany,DC=com
>>> (NDNC,Version 2)
>>> * Security Permissions Check for
>>> DC=DomainDnsZones,DC=mycompany,DC=com
>>> (NDNC,Version 2)
>>> * Security Permissions Check for
>>> CN=Schema,CN=Configuration,DC=mycompany,DC=com
>>> (Schema,Version 2)
>>> * Security Permissions Check for
>>> CN=Configuration,DC=mycompany,DC=com
>>> (Configuration,Version 2)
>>> * Security Permissions Check for
>>> DC=mycompany,DC=com
>>> (Domain,Version 2)
>>> ......................... rpdc04 passed test NCSecDesc
>>> Starting test: NetLogons
>>> * Network Logons Privileges Check
>>> Verified share \\rpdc04\netlogon
>>> Verified share \\rpdc04\sysvol
>>> ......................... rpdc04 passed test NetLogons
>>> Starting test: Advertising
>>> The DC rpdc04 is advertising itself as a DC and having a DS.
>>> The DC rpdc04 is advertising as an LDAP server
>>> The DC rpdc04 is advertising as having a writeable directory
>>> The DC rpdc04 is advertising as a Key Distribution Center
>>> The DC rpdc04 is advertising as a time server
>>> The DS rpdc04 is advertising as a GC.
>>> ......................... rpdc04 passed test Advertising
>>> Starting test: KnowsOfRoleHolders
>>> Role Schema Owner = CN=NTDS
>>> Settings,CN=rpdc03,CN=Servers,CN=RHO,CN=Sites,CN=Configurati on,DC=my
>>> co
>>> mpany,DC=com
>>> Role Domain Owner = CN=NTDS
>>> Settings,CN=rpdc03,CN=Servers,CN=RHO,CN=Sites,CN=Configurati on,DC=my
>>> co
>>> mpany,DC=com
>>> Role PDC Owner = CN=NTDS
>>> Settings,CN=rpdc03,CN=Servers,CN=RHO,CN=Sites,CN=Configurati on,DC=my
>>> co
>>> mpany,DC=com
>>> Role Rid Owner = CN=NTDS
>>> Settings,CN=rpdc03,CN=Servers,CN=RHO,CN=Sites,CN=Configurati on,DC=my
>>> co
>>> mpany,DC=com
>>> Role Infrastructure Update Owner = CN=NTDS
>>> Settings,CN=rpdc03,CN=Servers,CN=RHO,CN=Sites,CN=Configurati on,DC=my
>>> co
>>> mpany,DC=com
>>> ......................... rpdc04 passed test
>>> KnowsOfRoleHolders
>>> Starting test: RidManager
>>> * Available RID Pool for the Domain is 22603 to 1073741823
>>> * rpdc03.mycompany.com is the RID Master
>>> * DsBind with RID Master was successful
>>> * rIDAllocationPool is 20103 to 20602
>>> * rIDPreviousAllocationPool is 20103 to 20602
>>> * rIDNextRID: 20266
>>> ......................... rpdc04 passed test RidManager
>>> Starting test: MachineAccount
>>> Checking machine account for DC rpdc04 on DC rpdc04.
>>> * SPN found :LDAP/rpdc04.mycompany.com/mycompany.com
>>> * SPN found :LDAP/rpdc04.mycompany.com
>>> * SPN found :LDAP/rpdc04
>>> * SPN found :LDAP/rpdc04.mycompany.com/mycompany
>>> * SPN found
>>> :LDAP/25671f81-8b4c-404c-991f-e5ae1eb35d62._msdcs.mycompany. com
>>> * SPN found
>>> :E3514235-4B06-11D1-AB04-00C04FC2DCD2/25671f81-8b4c-404c-991 f-e5ae1e
>>> b3
>>> 5d62/mycompany.com
>>> * SPN found :HOST/rpdc04.mycompany.com/mycompany.com
>>> * SPN found :HOST/rpdc04.mycompany.com
>>> * SPN found :HOST/rpdc04
>>> * SPN found :HOST/rpdc04.mycompany.com/mycompany
>>> * SPN found :GC/rpdc04.mycompany.com/mycompany.com
>>> ......................... rpdc04 passed test MachineAccount
>>> Starting test: Services
>>> * Checking Service: Dnscache
>>> * Checking Service: NtFrs
>>> * Checking Service: IsmServ
>>> * Checking Service: kdc
>>> * Checking Service: SamSs
>>> * Checking Service: LanmanServer
>>> * Checking Service: LanmanWorkstation
>>> * Checking Service: RpcSs
>>> * Checking Service: w32time
>>> * Checking Service: NETLOGON
>>> ......................... rpdc04 passed test Services
>>> Test omitted by user request: OutboundSecureChannels
>>> Starting test: ObjectsReplicated
>>> rpdc04 is in domain DC=mycompany,DC=com
>>> Checking for CN=rpdc04,OU=Domain
>>> Controllers,DC=mycompany,DC=com in
>>> domain DC=mycompany,DC=com on 1 servers
>>> Object is up-to-date on all servers.
>>> Checking for CN=NTDS
>>> Settings,CN=rpdc04,CN=Servers,CN=RHO,CN=Sites,CN=Configurati on,DC=my
>>> co
>>> mpany,DC=com in domain CN=Configuration,DC=mycompany,DC=com on 1
>>> servers
>>> Object is up-to-date on all servers.
>>> ......................... rpdc04 passed test
>>> ObjectsReplicated
>>> Starting test: frssysvol
>>> * The File Replication Service SYSVOL ready test
>>> File Replication Service's SYSVOL is ready
>>> ......................... rpdc04 passed test frssysvol
>>> Starting test: frsevent
>>> * The File Replication Service Event log test
>>> There are warning or error events within the last 24 hours
>>> after the
>>> SYSVOL has been shared. Failing SYSVOL replication problems
>>> may cause
>>> Group Policy problems.
>>> An Warning Event occured. EventID: 0x800034C4
>>> Time Generated: 03/14/2010 14:22:14
>>> (Event String could not be retrieved)
>>> ......................... rpdc04 failed test frsevent
>>> Starting test: kccevent
>>> * The KCC Event log test
>>> An Warning Event occured. EventID: 0x8000061E
>>> Time Generated: 03/14/2010 18:52:28
>>> Event String: All domain controllers in the following site
>>> that
>>> can replicate the directory partition over this
>>> transport are currently unavailable.
>>>
Re: Access Denied error while edit some of the GPOs in Windows 200 [message #412714 is a reply to message #412057] Mon, 15 March 2010 22:59 Go to previous messageGo to next message
Laljeev M  is currently offline Laljeev M
Messages: 33
Registered: August 2009
Member
Hi Meinolf

2 years back we demoted a DC in another site (which is down now because of
Hardware failure), then again promoted to DC using dcpromo /adv from the
backup of one of the DCs in the main site. But this issue started recently.
Again we are planning to promote the same failed DC using the same procedure.

What do you think of this issue?

Regards
Lal
--
----Server Management Team----


"Meinolf Weber [MVP-DS]" wrote:

> Hello Laljeev,
>
> I wouldn't, there must be a reason. Was there a restore from a DC some time
> ago?
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
> > Hi
> >
> > The contents of both SYSVOL and Netlogon are same on all Dcs and
> > Repadmin shows the replication as successfull. Shall we remove those
> > GPOs which are not allowing to edit and create new GPOs with same
> > config
> >
> > Regards
> > Lal
> > "Meinolf Weber [MVP-DS]" wrote:
> >
> >> Hello Laljeev,
> >>
> >> Hopefully the second DC is back soon for you. Did you check the event
> >> viewer for errors on the DC where ryou logged in to when the access
> >> denied pop up?
> >>
> >> As you wrote you can't edit some of the GPOs, so you are able to edit
> >> some other? Did you check that the content of sysvol and netlogon is
> >> the same on all DCs in the domain and replication is working on each
> >> DC with repadmin /showrepl?
> >>
> >> Best regards
> >>
> >> Meinolf Weber
> >> Disclaimer: This posting is provided "AS IS" with no warranties, and
> >> confers
> >> no rights.
> >> ** Please do NOT email, only reply to Newsgroups
> >> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
> >>> Hi
> >>>
> >>> Below is the output from dcdiag/v, I'm accessing the server through
> >>> terminal service (mstsc -admin). One of our DCs is down from this
> >>> morning (jpdc02)
> >>>
> >>> ____________________
> >>>
> >>> Domain Controller Diagnosis
> >>>
> >>> Performing initial setup:
> >>> * Verifying that the local machine rpdc04, is a DC.
> >>> * Connecting to directory service on server rpdc04.
> >>> * Collecting site info.
> >>> * Identifying all servers.
> >>> * Identifying all NC cross-refs.
> >>> * Found 4 DC(s). Testing 1 of them.
> >>> Done gathering initial info.
> >>> Doing initial required tests
> >>> Testing server: RHO\rpdc04
> >>> Starting test: Connectivity
> >>> * Active Directory LDAP Services Check
> >>> * Active Directory RPC Services Check
> >>> ......................... rpdc04 passed test Connectivity
> >>> Doing primary tests
> >>> Testing server: RHO\rpdc04
> >>> Starting test: Replications
> >>> * Replications Check
> >>> [Replications Check,rpdc04] No replication recently
> >>> attempted:
> >>> From dbdc01 to rpdc04
> >>> Naming Context: DC=ForestDnsZones,DC=mycompany,DC=com
> >>> The last attempt occurred at 2010-03-14 15:47:00 (about 3
> >>> hours
> >>> ago).
> >>> [Replications Check,rpdc04] A recent replication attempt
> >>> failed:
> >>> From jpdc02 to rpdc04
> >>> Naming Context: DC=ForestDnsZones,DC=mycompany,DC=com
> >>> The replication generated an error (1256):
> >>> The remote system is not available. For information about
> >>> network troubleshooting, see Windows Help.
> >>> The failure occurred at 2010-03-14 18:54:08.
> >>> The last success occurred at 2010-03-13 12:17:32.
> >>> 122 failures have occurred since the last success.
> >>> [Replications Check,rpdc04] A recent replication attempt
> >>> failed:
> >>> From jpdc02 to rpdc04
> >>> Naming Context: DC=DomainDnsZones,DC=mycompany,DC=com
> >>> The replication generated an error (1256):
> >>> The remote system is not available. For information about
> >>> network troubleshooting, see Windows Help.
> >>> The failure occurred at 2010-03-14 18:54:08.
> >>> The last success occurred at 2010-03-13 12:17:32.
> >>> 122 failures have occurred since the last success.
> >>> [Replications Check,rpdc04] A recent replication attempt
> >>> failed:
> >>> From jpdc02 to rpdc04
> >>> Naming Context:
> >>> CN=Schema,CN=Configuration,DC=mycompany,DC=com
> >>> The replication generated an error (1727):
> >>> The remote procedure call failed and did not execute.
> >>> The failure occurred at 2010-03-14 18:46:47.
> >>> The last success occurred at 2010-03-13 12:17:31.
> >>> 121 failures have occurred since the last success.
> >>> [Replications Check,rpdc04] A recent replication attempt
> >>> failed:
> >>> From jpdc02 to rpdc04
> >>> Naming Context: CN=Configuration,DC=mycompany,DC=com
> >>> The replication generated an error (1727):
> >>> The remote procedure call failed and did not execute.
> >>> The failure occurred at 2010-03-14 19:01:22.
> >>> The last success occurred at 2010-03-13 12:17:24.
> >>> 122 failures have occurred since the last success.
> >>> [Replications Check,rpdc04] A recent replication attempt
> >>> failed:
> >>> From jpdc02 to rpdc04
> >>> Naming Context: DC=mycompany,DC=com
> >>> The replication generated an error (1727):
> >>> The remote procedure call failed and did not execute.
> >>> The failure occurred at 2010-03-14 18:54:08.
> >>> The last success occurred at 2010-03-13 12:17:23.
> >>> 11 failures have occurred since the last success.
> >>> rpdc04: There are 21 replication work items in the queue.
> >>> REPLICATION LATENCY WARNING
> >>> rpdc04: A long-running replication operation is in progress
> >>> The job has been executing for 5 minutes and 2 seconds.
> >>> Replication of new changes along this path will be
> >>> delayed.
> >>> Error: Higher priority replications are being blocked
> >>> Enqueued 2010-03-14 18:47:22 at priority 170
> >>> Op: SYNC FROM SOURCE
> >>> NC CN=Schema,CN=Configuration,DC=mycompany,DC=com
> >>> DSADN CN=NTDS
> >>> Settings,CN=jpdc02,CN=Servers,CN=JED,CN=Sites,CN=Configurati on,DC=my
> >>> co
> >>> mpany,DC=com
> >>> DSA transport addr
> >>> f9f5b45f-b5e6-4302-9e97-069c79fd1585._msdcs.mycompany.com
> >>> * Replication Latency Check
> >>> REPLICATION-RECEIVED LATENCY WARNING
> >>> rpdc04: Current time is 2010-03-14 19:06:31.
> >>> DC=ForestDnsZones,DC=mycompany,DC=com
> >>> Last replication recieved from jpdc02 at 2010-03-13
> >>> 12:18:23.
> >>> Latency information for 12 entries in the vector were
> >>> ignored.
> >>> 12 were retired Invocations. 0 were either:
> >>> read-only
> >>> replicas and are not verifiably latent, or dc's no longer
> >>> replicating
> >>> this
> >>> nc. 0 had no latency information (Win2K DC).
> >>> DC=DomainDnsZones,DC=mycompany,DC=com
> >>> Last replication recieved from jpdc02 at 2010-03-13
> >>> 12:18:22.
> >>> Latency information for 12 entries in the vector were
> >>> ignored.
> >>> 12 were retired Invocations. 0 were either:
> >>> read-only
> >>> replicas and are not verifiably latent, or dc's no longer
> >>> replicating
> >>> this
> >>> nc. 0 had no latency information (Win2K DC).
> >>> CN=Schema,CN=Configuration,DC=mycompany,DC=com
> >>> Last replication recieved from jpdc02 at 2010-03-13
> >>> 12:18:22.
> >>> Latency information for 19 entries in the vector were
> >>> ignored.
> >>> 19 were retired Invocations. 0 were either:
> >>> read-only
> >>> replicas and are not verifiably latent, or dc's no longer
> >>> replicating
> >>> this
> >>> nc. 0 had no latency information (Win2K DC).
> >>> CN=Configuration,DC=mycompany,DC=com
> >>> Last replication recieved from jpdc02 at 2010-03-13
> >>> 12:18:21.
> >>> Latency information for 19 entries in the vector were
> >>> ignored.
> >>> 19 were retired Invocations. 0 were either:
> >>> read-only
> >>> replicas and are not verifiably latent, or dc's no longer
> >>> replicating
> >>> this
> >>> nc. 0 had no latency information (Win2K DC).
> >>> DC=mycompany,DC=com
> >>> Last replication recieved from jpdc02 at 2010-03-13
> >>> 12:18:22.
> >>> Latency information for 18 entries in the vector were
> >>> ignored.
> >>> 18 were retired Invocations. 0 were either:
> >>> read-only
> >>> replicas and are not verifiably latent, or dc's no longer
> >>> replicating
> >>> this
> >>> nc. 0 had no latency information (Win2K DC).
> >>> ......................... rpdc04 passed test Replications
> >>> Test omitted by user request: Topology
> >>> Test omitted by user request: CutoffServers
> >>> Starting test: NCSecDesc
> >>> * Security Permissions check for all NC's on DC rpdc04.
> >>> * Security Permissions Check for
> >>> DC=ForestDnsZones,DC=mycompany,DC=com
> >>> (NDNC,Version 2)
> >>> * Security Permissions Check for
> >>> DC=DomainDnsZones,DC=mycompany,DC=com
> >>> (NDNC,Version 2)
> >>> * Security Permissions Check for
> >>> CN=Schema,CN=Configuration,DC=mycompany,DC=com
> >>> (Schema,Version 2)
> >>> * Security Permissions Check for
> >>> CN=Configuration,DC=mycompany,DC=com
> >>> (Configuration,Version 2)
> >>> * Security Permissions Check for
> >>> DC=mycompany,DC=com
> >>> (Domain,Version 2)
> >>> ......................... rpdc04 passed test NCSecDesc
> >>> Starting test: NetLogons
> >>> * Network Logons Privileges Check
> >>> Verified share \\rpdc04\netlogon
> >>> Verified share \\rpdc04\sysvol
> >>> ......................... rpdc04 passed test NetLogons
> >>> Starting test: Advertising
> >>> The DC rpdc04 is advertising itself as a DC and having a DS.
> >>> The DC rpdc04 is advertising as an LDAP server
> >>> The DC rpdc04 is advertising as having a writeable directory
> >>> The DC rpdc04 is advertising as a Key Distribution Center
> >>> The DC rpdc04 is advertising as a time server
> >>> The DS rpdc04 is advertising as a GC.
> >>> ......................... rpdc04 passed test Advertising
> >>> Starting test: KnowsOfRoleHolders
> >>> Role Schema Owner = CN=NTDS
> >>> Settings,CN=rpdc03,CN=Servers,CN=RHO,CN=Sites,CN=Configurati on,DC=my
> >>> co
> >>> mpany,DC=com
> >>> Role Domain Owner = CN=NTDS
> >>> Settings,CN=rpdc03,CN=Servers,CN=RHO,CN=Sites,CN=Configurati on,DC=my
> >>> co
> >>> mpany,DC=com
> >>> Role PDC Owner = CN=NTDS
> >>> Settings,CN=rpdc03,CN=Servers,CN=RHO,CN=Sites,CN=Configurati on,DC=my
> >>> co
> >>> mpany,DC=com
> >>> Role Rid Owner = CN=NTDS
> >>> Settings,CN=rpdc03,CN=Servers,CN=RHO,CN=Sites,CN=Configurati on,DC=my
> >>> co
> >>> mpany,DC=com
> >>> Role Infrastructure Update Owner = CN=NTDS
> >>> Settings,CN=rpdc03,CN=Servers,CN=RHO,CN=Sites,CN=Configurati on,DC=my
> >>> co
> >>> mpany,DC=com
> >>> ......................... rpdc04 passed test
> >>> KnowsOfRoleHolders
> >>> Starting test: RidManager
> >>> * Available RID Pool for the Domain is 22603 to 1073741823
> >>> * rpdc03.mycompany.com is the RID Master
> >>> * DsBind with RID Master was successful
> >>> * rIDAllocationPool is 20103 to 20602
> >>> * rIDPreviousAllocationPool is 20103 to 20602
> >>> * rIDNextRID: 20266
> >>> ......................... rpdc04 passed test RidManager
> >>> Starting test: MachineAccount
> >>> Checking machine account for DC rpdc04 on DC rpdc04.
> >>> * SPN found :LDAP/rpdc04.mycompany.com/mycompany.com
> >>> * SPN found :LDAP/rpdc04.mycompany.com
> >>> * SPN found :LDAP/rpdc04
> >>> * SPN found :LDAP/rpdc04.mycompany.com/mycompany
> >>> * SPN found
> >>> :LDAP/25671f81-8b4c-404c-991f-e5ae1eb35d62._msdcs.mycompany. com
> >>> * SPN found
> >>> :E3514235-4B06-11D1-AB04-00C04FC2DCD2/25671f81-8b4c-404c-991 f-e5ae1e
> >>> b3
> >>> 5d62/mycompany.com
> >>> * SPN found :HOST/rpdc04.mycompany.com/mycompany.com
> >>> * SPN found :HOST/rpdc04.mycompany.com
> >>> * SPN found :HOST/rpdc04
> >>> * SPN found :HOST/rpdc04.mycompany.com/mycompany
> >>> * SPN found :GC/rpdc04.mycompany.com/mycompany.com
> >>> ......................... rpdc04 passed test MachineAccount
> >>> Starting test: Services
> >>> * Checking Service: Dnscache
> >>> * Checking Service: NtFrs
> >>> * Checking Service: IsmServ
> >>> * Checking Service: kdc
> >>> * Checking Service: SamSs
> >>> * Checking Service: LanmanServer
> >>> * Checking Service: LanmanWorkstation
> >>> * Checking Service: RpcSs
> >>> * Checking Service: w32time
> >>> * Checking Service: NETLOGON
> >>> ......................... rpdc04 passed test Services
> >>> Test omitted by user request: OutboundSecureChannels
> >>> Starting test: ObjectsReplicated
> >>> rpdc04 is in domain DC=mycompany,DC=com
> >>> Checking for CN=rpdc04,OU=Domain
Re: Access Denied error while edit some of the GPOs in Windows 200 [message #412731 is a reply to message #412714] Mon, 15 March 2010 23:37 Go to previous messageGo to next message
Laljeev M  is currently offline Laljeev M
Messages: 33
Registered: August 2009
Member
Hi Meinolf

I forgot to tell you one thing, while installing the new DC (for the failed
one) we upgraded the schema to windows 2003 R2. Now I tried to edit all GPOs
and we are facing problem for all those old GPOs which were there before
schema upgradation.
All new GPOs can be edited

Regards
Lal-
----Server Management Team----


"Laljeev M" wrote:

> Hi Meinolf
>
> 2 years back we demoted a DC in another site (which is down now because of
> Hardware failure), then again promoted to DC using dcpromo /adv from the
> backup of one of the DCs in the main site. But this issue started recently.
> Again we are planning to promote the same failed DC using the same procedure.
>
> What do you think of this issue?
>
> Regards
> Lal
> --
> ----Server Management Team----
>
>
> "Meinolf Weber [MVP-DS]" wrote:
>
> > Hello Laljeev,
> >
> > I wouldn't, there must be a reason. Was there a restore from a DC some time
> > ago?
> >
> > Best regards
> >
> > Meinolf Weber
> > Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> > no rights.
> > ** Please do NOT email, only reply to Newsgroups
> > ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
> >
> >
> > > Hi
> > >
> > > The contents of both SYSVOL and Netlogon are same on all Dcs and
> > > Repadmin shows the replication as successfull. Shall we remove those
> > > GPOs which are not allowing to edit and create new GPOs with same
> > > config
> > >
> > > Regards
> > > Lal
> > > "Meinolf Weber [MVP-DS]" wrote:
> > >
> > >> Hello Laljeev,
> > >>
> > >> Hopefully the second DC is back soon for you. Did you check the event
> > >> viewer for errors on the DC where ryou logged in to when the access
> > >> denied pop up?
> > >>
> > >> As you wrote you can't edit some of the GPOs, so you are able to edit
> > >> some other? Did you check that the content of sysvol and netlogon is
> > >> the same on all DCs in the domain and replication is working on each
> > >> DC with repadmin /showrepl?
> > >>
> > >> Best regards
> > >>
> > >> Meinolf Weber
> > >> Disclaimer: This posting is provided "AS IS" with no warranties, and
> > >> confers
> > >> no rights.
> > >> ** Please do NOT email, only reply to Newsgroups
> > >> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
> > >>> Hi
> > >>>
> > >>> Below is the output from dcdiag/v, I'm accessing the server through
> > >>> terminal service (mstsc -admin). One of our DCs is down from this
> > >>> morning (jpdc02)
> > >>>
> > >>> ____________________
> > >>>
> > >>> Domain Controller Diagnosis
> > >>>
> > >>> Performing initial setup:
> > >>> * Verifying that the local machine rpdc04, is a DC.
> > >>> * Connecting to directory service on server rpdc04.
> > >>> * Collecting site info.
> > >>> * Identifying all servers.
> > >>> * Identifying all NC cross-refs.
> > >>> * Found 4 DC(s). Testing 1 of them.
> > >>> Done gathering initial info.
> > >>> Doing initial required tests
> > >>> Testing server: RHO\rpdc04
> > >>> Starting test: Connectivity
> > >>> * Active Directory LDAP Services Check
> > >>> * Active Directory RPC Services Check
> > >>> ......................... rpdc04 passed test Connectivity
> > >>> Doing primary tests
> > >>> Testing server: RHO\rpdc04
> > >>> Starting test: Replications
> > >>> * Replications Check
> > >>> [Replications Check,rpdc04] No replication recently
> > >>> attempted:
> > >>> From dbdc01 to rpdc04
> > >>> Naming Context: DC=ForestDnsZones,DC=mycompany,DC=com
> > >>> The last attempt occurred at 2010-03-14 15:47:00 (about 3
> > >>> hours
> > >>> ago).
> > >>> [Replications Check,rpdc04] A recent replication attempt
> > >>> failed:
> > >>> From jpdc02 to rpdc04
> > >>> Naming Context: DC=ForestDnsZones,DC=mycompany,DC=com
> > >>> The replication generated an error (1256):
> > >>> The remote system is not available. For information about
> > >>> network troubleshooting, see Windows Help.
> > >>> The failure occurred at 2010-03-14 18:54:08.
> > >>> The last success occurred at 2010-03-13 12:17:32.
> > >>> 122 failures have occurred since the last success.
> > >>> [Replications Check,rpdc04] A recent replication attempt
> > >>> failed:
> > >>> From jpdc02 to rpdc04
> > >>> Naming Context: DC=DomainDnsZones,DC=mycompany,DC=com
> > >>> The replication generated an error (1256):
> > >>> The remote system is not available. For information about
> > >>> network troubleshooting, see Windows Help.
> > >>> The failure occurred at 2010-03-14 18:54:08.
> > >>> The last success occurred at 2010-03-13 12:17:32.
> > >>> 122 failures have occurred since the last success.
> > >>> [Replications Check,rpdc04] A recent replication attempt
> > >>> failed:
> > >>> From jpdc02 to rpdc04
> > >>> Naming Context:
> > >>> CN=Schema,CN=Configuration,DC=mycompany,DC=com
> > >>> The replication generated an error (1727):
> > >>> The remote procedure call failed and did not execute.
> > >>> The failure occurred at 2010-03-14 18:46:47.
> > >>> The last success occurred at 2010-03-13 12:17:31.
> > >>> 121 failures have occurred since the last success.
> > >>> [Replications Check,rpdc04] A recent replication attempt
> > >>> failed:
> > >>> From jpdc02 to rpdc04
> > >>> Naming Context: CN=Configuration,DC=mycompany,DC=com
> > >>> The replication generated an error (1727):
> > >>> The remote procedure call failed and did not execute.
> > >>> The failure occurred at 2010-03-14 19:01:22.
> > >>> The last success occurred at 2010-03-13 12:17:24.
> > >>> 122 failures have occurred since the last success.
> > >>> [Replications Check,rpdc04] A recent replication attempt
> > >>> failed:
> > >>> From jpdc02 to rpdc04
> > >>> Naming Context: DC=mycompany,DC=com
> > >>> The replication generated an error (1727):
> > >>> The remote procedure call failed and did not execute.
> > >>> The failure occurred at 2010-03-14 18:54:08.
> > >>> The last success occurred at 2010-03-13 12:17:23.
> > >>> 11 failures have occurred since the last success.
> > >>> rpdc04: There are 21 replication work items in the queue.
> > >>> REPLICATION LATENCY WARNING
> > >>> rpdc04: A long-running replication operation is in progress
> > >>> The job has been executing for 5 minutes and 2 seconds.
> > >>> Replication of new changes along this path will be
> > >>> delayed.
> > >>> Error: Higher priority replications are being blocked
> > >>> Enqueued 2010-03-14 18:47:22 at priority 170
> > >>> Op: SYNC FROM SOURCE
> > >>> NC CN=Schema,CN=Configuration,DC=mycompany,DC=com
> > >>> DSADN CN=NTDS
> > >>> Settings,CN=jpdc02,CN=Servers,CN=JED,CN=Sites,CN=Configurati on,DC=my
> > >>> co
> > >>> mpany,DC=com
> > >>> DSA transport addr
> > >>> f9f5b45f-b5e6-4302-9e97-069c79fd1585._msdcs.mycompany.com
> > >>> * Replication Latency Check
> > >>> REPLICATION-RECEIVED LATENCY WARNING
> > >>> rpdc04: Current time is 2010-03-14 19:06:31.
> > >>> DC=ForestDnsZones,DC=mycompany,DC=com
> > >>> Last replication recieved from jpdc02 at 2010-03-13
> > >>> 12:18:23.
> > >>> Latency information for 12 entries in the vector were
> > >>> ignored.
> > >>> 12 were retired Invocations. 0 were either:
> > >>> read-only
> > >>> replicas and are not verifiably latent, or dc's no longer
> > >>> replicating
> > >>> this
> > >>> nc. 0 had no latency information (Win2K DC).
> > >>> DC=DomainDnsZones,DC=mycompany,DC=com
> > >>> Last replication recieved from jpdc02 at 2010-03-13
> > >>> 12:18:22.
> > >>> Latency information for 12 entries in the vector were
> > >>> ignored.
> > >>> 12 were retired Invocations. 0 were either:
> > >>> read-only
> > >>> replicas and are not verifiably latent, or dc's no longer
> > >>> replicating
> > >>> this
> > >>> nc. 0 had no latency information (Win2K DC).
> > >>> CN=Schema,CN=Configuration,DC=mycompany,DC=com
> > >>> Last replication recieved from jpdc02 at 2010-03-13
> > >>> 12:18:22.
> > >>> Latency information for 19 entries in the vector were
> > >>> ignored.
> > >>> 19 were retired Invocations. 0 were either:
> > >>> read-only
> > >>> replicas and are not verifiably latent, or dc's no longer
> > >>> replicating
> > >>> this
> > >>> nc. 0 had no latency information (Win2K DC).
> > >>> CN=Configuration,DC=mycompany,DC=com
> > >>> Last replication recieved from jpdc02 at 2010-03-13
> > >>> 12:18:21.
> > >>> Latency information for 19 entries in the vector were
> > >>> ignored.
> > >>> 19 were retired Invocations. 0 were either:
> > >>> read-only
> > >>> replicas and are not verifiably latent, or dc's no longer
> > >>> replicating
> > >>> this
> > >>> nc. 0 had no latency information (Win2K DC).
> > >>> DC=mycompany,DC=com
> > >>> Last replication recieved from jpdc02 at 2010-03-13
> > >>> 12:18:22.
> > >>> Latency information for 18 entries in the vector were
> > >>> ignored.
> > >>> 18 were retired Invocations. 0 were either:
> > >>> read-only
> > >>> replicas and are not verifiably latent, or dc's no longer
> > >>> replicating
> > >>> this
> > >>> nc. 0 had no latency information (Win2K DC).
> > >>> ......................... rpdc04 passed test Replications
> > >>> Test omitted by user request: Topology
> > >>> Test omitted by user request: CutoffServers
> > >>> Starting test: NCSecDesc
> > >>> * Security Permissions check for all NC's on DC rpdc04.
> > >>> * Security Permissions Check for
> > >>> DC=ForestDnsZones,DC=mycompany,DC=com
> > >>> (NDNC,Version 2)
> > >>> * Security Permissions Check for
> > >>> DC=DomainDnsZones,DC=mycompany,DC=com
> > >>> (NDNC,Version 2)
> > >>> * Security Permissions Check for
> > >>> CN=Schema,CN=Configuration,DC=mycompany,DC=com
> > >>> (Schema,Version 2)
> > >>> * Security Permissions Check for
> > >>> CN=Configuration,DC=mycompany,DC=com
> > >>> (Configuration,Version 2)
> > >>> * Security Permissions Check for
> > >>> DC=mycompany,DC=com
> > >>> (Domain,Version 2)
> > >>> ......................... rpdc04 passed test NCSecDesc
> > >>> Starting test: NetLogons
> > >>> * Network Logons Privileges Check
> > >>> Verified share \\rpdc04\netlogon
> > >>> Verified share \\rpdc04\sysvol
> > >>> ......................... rpdc04 passed test NetLogons
> > >>> Starting test: Advertising
> > >>> The DC rpdc04 is advertising itself as a DC and having a DS.
> > >>> The DC rpdc04 is advertising as an LDAP server
> > >>> The DC rpdc04 is advertising as having a writeable directory
> > >>> The DC rpdc04 is advertising as a Key Distribution Center
> > >>> The DC rpdc04 is advertising as a time server
> > >>> The DS rpdc04 is advertising as a GC.
> > >>> ......................... rpdc04 passed test Advertising
> > >>> Starting test: KnowsOfRoleHolders
> > >>> Role Schema Owner = CN=NTDS
> > >>> Settings,CN=rpdc03,CN=Servers,CN=RHO,CN=Sites,CN=Configurati on,DC=my
> > >>> co
> > >>> mpany,DC=com
> > >>> Role Domain Owner = CN=NTDS
> > >>> Settings,CN=rpdc03,CN=Servers,CN=RHO,CN=Sites,CN=Configurati on,DC=my
> > >>> co
> > >>> mpany,DC=com
> > >>> Role PDC Owner = CN=NTDS
> > >>> Settings,CN=rpdc03,CN=Servers,CN=RHO,CN=Sites,CN=Configurati on,DC=my
> > >>> co
> > >>> mpany,DC=com
> > >>> Role Rid Owner = CN=NTDS
> > >>> Settings,CN=rpdc03,CN=Servers,CN=RHO,CN=Sites,CN=Configurati on,DC=my
> > >>> co
> > >>> mpany,DC=com
> > >>> Role Infrastructure Update Owner = CN=NTDS
> > >>> Settings,CN=rpdc03,CN=Servers,CN=RHO,CN=Sites,CN=Configurati on,DC=my
> > >>> co
> > >>> mpany,DC=com
> > >>> ......................... rpdc04 passed test
> > >>> KnowsOfRoleHolders
> > >>> Starting test: RidManager
> > >>> * Available RID Pool for the Domain is 22603 to 1073741823
> > >>> * rpdc03.mycompany.com is the RID Master
> > >>> * DsBind with RID Master was successful
> > >>> * rIDAllocationPool is 20103 to 20602
> > >>> * rIDPreviousAllocationPool is 20103 to 20602
> > >>> * rIDNextRID: 20266
> > >>> ......................... rpdc04 passed test RidManager
> > >>> Starting test: MachineAccount
> > >>> Checking machine account for DC rpdc04 on DC rpdc04.
> > >>> * SPN found :LDAP/rpdc04.mycompany.com/mycompany.com
> > >>> * SPN found :LDAP/rpdc04.mycompany.com
> > >>> * SPN found :LDAP/rpdc04
> > >>> * SPN found :LDAP/rpdc04.mycompany.com/mycompany
> > >>> * SPN found
> > >>> :LDAP/25671f81-8b4c-404c-991f-e5ae1eb35d62._msdcs.mycompany. com
> > >>> * SPN found
> > >>> :E3514235-4B06-11D1-AB04-00C04FC2DCD2/25671f81-8b4c-404c-991 f-e5ae1e
> > >>> b3
> > >>> 5d62/mycompany.com
> > >>> * SPN found :HOST/rpdc04.mycompany.com/mycompany.com
> > >>> * SPN found :HOST/rpdc04.mycompany.com
> > >>> * SPN found :HOST/rpdc04
> > >>> * SPN found :HOST/rpdc04.mycompany.com/mycompany
> > >>> * SPN found :GC/rpdc04.mycompany.com/mycompany.com
Re: Access Denied error while edit some of the GPOs in Windows 200 [message #412796 is a reply to message #412714] Tue, 16 March 2010 01:53 Go to previous messageGo to next message
meiweb  is currently offline meiweb  Germany
Messages: 2225
Registered: September 2009
Senior Member
Hello Laljeev,

To understand you correct, you promoted a new DC from the backup of an old
one? What kind of backup was used, system state? Please be more specific
how this was done. Also un repadmin /showrepl on all DCs and post the output
here or add it as textfile.

repadmin /showrepl >c:\repadmindc1.log

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hi Meinolf
>
> 2 years back we demoted a DC in another site (which is down now
> because of Hardware failure), then again promoted to DC using dcpromo
> /adv from the backup of one of the DCs in the main site. But this
> issue started recently. Again we are planning to promote the same
> failed DC using the same procedure.
>
> What do you think of this issue?
>
> Regards
> Lal
> "Meinolf Weber [MVP-DS]" wrote:
>
>> Hello Laljeev,
>>
>> I wouldn't, there must be a reason. Was there a restore from a DC
>> some time ago?
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers
>> no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> Hi
>>>
>>> The contents of both SYSVOL and Netlogon are same on all Dcs and
>>> Repadmin shows the replication as successfull. Shall we remove those
>>> GPOs which are not allowing to edit and create new GPOs with same
>>> config
>>>
>>> Regards
>>> Lal
>>> "Meinolf Weber [MVP-DS]" wrote:
>>>> Hello Laljeev,
>>>>
>>>> Hopefully the second DC is back soon for you. Did you check the
>>>> event viewer for errors on the DC where ryou logged in to when the
>>>> access denied pop up?
>>>>
>>>> As you wrote you can't edit some of the GPOs, so you are able to
>>>> edit some other? Did you check that the content of sysvol and
>>>> netlogon is the same on all DCs in the domain and replication is
>>>> working on each DC with repadmin /showrepl?
>>>>
>>>> Best regards
>>>>
>>>> Meinolf Weber
>>>> Disclaimer: This posting is provided "AS IS" with no warranties,
>>>> and
>>>> confers
>>>> no rights.
>>>> ** Please do NOT email, only reply to Newsgroups
>>>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>>>> Hi
>>>>>
>>>>> Below is the output from dcdiag/v, I'm accessing the server
>>>>> through terminal service (mstsc -admin). One of our DCs is down
>>>>> from this morning (jpdc02)
>>>>>
>>>>> ____________________
>>>>>
>>>>> Domain Controller Diagnosis
>>>>>
>>>>> Performing initial setup:
>>>>> * Verifying that the local machine rpdc04, is a DC.
>>>>> * Connecting to directory service on server rpdc04.
>>>>> * Collecting site info.
>>>>> * Identifying all servers.
>>>>> * Identifying all NC cross-refs.
>>>>> * Found 4 DC(s). Testing 1 of them.
>>>>> Done gathering initial info.
>>>>> Doing initial required tests
>>>>> Testing server: RHO\rpdc04
>>>>> Starting test: Connectivity
>>>>> * Active Directory LDAP Services Check
>>>>> * Active Directory RPC Services Check
>>>>> ......................... rpdc04 passed test Connectivity
>>>>> Doing primary tests
>>>>> Testing server: RHO\rpdc04
>>>>> Starting test: Replications
>>>>> * Replications Check
>>>>> [Replications Check,rpdc04] No replication recently
>>>>> attempted:
>>>>> From dbdc01 to rpdc04
>>>>> Naming Context: DC=ForestDnsZones,DC=mycompany,DC=com
>>>>> The last attempt occurred at 2010-03-14 15:47:00 (about 3
>>>>> hours
>>>>> ago).
>>>>> [Replications Check,rpdc04] A recent replication attempt
>>>>> failed:
>>>>> From jpdc02 to rpdc04
>>>>> Naming Context: DC=ForestDnsZones,DC=mycompany,DC=com
>>>>> The replication generated an error (1256):
>>>>> The remote system is not available. For information about
>>>>> network troubleshooting, see Windows Help.
>>>>> The failure occurred at 2010-03-14 18:54:08.
>>>>> The last success occurred at 2010-03-13 12:17:32.
>>>>> 122 failures have occurred since the last success.
>>>>> [Replications Check,rpdc04] A recent replication attempt
>>>>> failed:
>>>>> From jpdc02 to rpdc04
>>>>> Naming Context: DC=DomainDnsZones,DC=mycompany,DC=com
>>>>> The replication generated an error (1256):
>>>>> The remote system is not available. For information about
>>>>> network troubleshooting, see Windows Help.
>>>>> The failure occurred at 2010-03-14 18:54:08.
>>>>> The last success occurred at 2010-03-13 12:17:32.
>>>>> 122 failures have occurred since the last success.
>>>>> [Replications Check,rpdc04] A recent replication attempt
>>>>> failed:
>>>>> From jpdc02 to rpdc04
>>>>> Naming Context:
>>>>> CN=Schema,CN=Configuration,DC=mycompany,DC=com
>>>>> The replication generated an error (1727):
>>>>> The remote procedure call failed and did not execute.
>>>>> The failure occurred at 2010-03-14 18:46:47.
>>>>> The last success occurred at 2010-03-13 12:17:31.
>>>>> 121 failures have occurred since the last success.
>>>>> [Replications Check,rpdc04] A recent replication attempt
>>>>> failed:
>>>>> From jpdc02 to rpdc04
>>>>> Naming Context: CN=Configuration,DC=mycompany,DC=com
>>>>> The replication generated an error (1727):
>>>>> The remote procedure call failed and did not execute.
>>>>> The failure occurred at 2010-03-14 19:01:22.
>>>>> The last success occurred at 2010-03-13 12:17:24.
>>>>> 122 failures have occurred since the last success.
>>>>> [Replications Check,rpdc04] A recent replication attempt
>>>>> failed:
>>>>> From jpdc02 to rpdc04
>>>>> Naming Context: DC=mycompany,DC=com
>>>>> The replication generated an error (1727):
>>>>> The remote procedure call failed and did not execute.
>>>>> The failure occurred at 2010-03-14 18:54:08.
>>>>> The last success occurred at 2010-03-13 12:17:23.
>>>>> 11 failures have occurred since the last success.
>>>>> rpdc04: There are 21 replication work items in the queue.
>>>>> REPLICATION LATENCY WARNING
>>>>> rpdc04: A long-running replication operation is in progress
>>>>> The job has been executing for 5 minutes and 2 seconds.
>>>>> Replication of new changes along this path will be
>>>>> delayed.
>>>>> Error: Higher priority replications are being blocked
>>>>> Enqueued 2010-03-14 18:47:22 at priority 170
>>>>> Op: SYNC FROM SOURCE
>>>>> NC CN=Schema,CN=Configuration,DC=mycompany,DC=com
>>>>> DSADN CN=NTDS
>>>>> Settings,CN=jpdc02,CN=Servers,CN=JED,CN=Sites,CN=Configurati on,DC=
>>>>> my
>>>>> co
>>>>> mpany,DC=com
>>>>> DSA transport addr
>>>>> f9f5b45f-b5e6-4302-9e97-069c79fd1585._msdcs.mycompany.com
>>>>> * Replication Latency Check
>>>>> REPLICATION-RECEIVED LATENCY WARNING
>>>>> rpdc04: Current time is 2010-03-14 19:06:31.
>>>>> DC=ForestDnsZones,DC=mycompany,DC=com
>>>>> Last replication recieved from jpdc02 at 2010-03-13
>>>>> 12:18:23.
>>>>> Latency information for 12 entries in the vector were
>>>>> ignored.
>>>>> 12 were retired Invocations. 0 were either:
>>>>> read-only
>>>>> replicas and are not verifiably latent, or dc's no longer
>>>>> replicating
>>>>> this
>>>>> nc. 0 had no latency information (Win2K DC).
>>>>> DC=DomainDnsZones,DC=mycompany,DC=com
>>>>> Last replication recieved from jpdc02 at 2010-03-13
>>>>> 12:18:22.
>>>>> Latency information for 12 entries in the vector were
>>>>> ignored.
>>>>> 12 were retired Invocations. 0 were either:
>>>>> read-only
>>>>> replicas and are not verifiably latent, or dc's no longer
>>>>> replicating
>>>>> this
>>>>> nc. 0 had no latency information (Win2K DC).
>>>>> CN=Schema,CN=Configuration,DC=mycompany,DC=com
>>>>> Last replication recieved from jpdc02 at 2010-03-13
>>>>> 12:18:22.
>>>>> Latency information for 19 entries in the vector were
>>>>> ignored.
>>>>> 19 were retired Invocations. 0 were either:
>>>>> read-only
>>>>> replicas and are not verifiably latent, or dc's no longer
>>>>> replicating
>>>>> this
>>>>> nc. 0 had no latency information (Win2K DC).
>>>>> CN=Configuration,DC=mycompany,DC=com
>>>>> Last replication recieved from jpdc02 at 2010-03-13
>>>>> 12:18:21.
>>>>> Latency information for 19 entries in the vector were
>>>>> ignored.
>>>>> 19 were retired Invocations. 0 were either:
>>>>> read-only
>>>>> replicas and are not verifiably latent, or dc's no longer
>>>>> replicating
>>>>> this
>>>>> nc. 0 had no latency information (Win2K DC).
>>>>> DC=mycompany,DC=com
>>>>> Last replication recieved from jpdc02 at 2010-03-13
>>>>> 12:18:22.
>>>>> Latency information for 18 entries in the vector were
>>>>> ignored.
>>>>> 18 were retired Invocations. 0 were either:
>>>>> read-only
>>>>> replicas and are not verifiably latent, or dc's no longer
>>>>> replicating
>>>>> this
>>>>> nc. 0 had no latency information (Win2K DC).
>>>>> ......................... rpdc04 passed test Replications
>>>>> Test omitted by user request: Topology
>>>>> Test omitted by user request: CutoffServers
>>>>> Starting test: NCSecDesc
>>>>> * Security Permissions check for all NC's on DC rpdc04.
>>>>> * Security Permissions Check for
>>>>> DC=ForestDnsZones,DC=mycompany,DC=com
>>>>> (NDNC,Version 2)
>>>>> * Security Permissions Check for
>>>>> DC=DomainDnsZones,DC=mycompany,DC=com
>>>>> (NDNC,Version 2)
>>>>> * Security Permissions Check for
>>>>> CN=Schema,CN=Configuration,DC=mycompany,DC=com
>>>>> (Schema,Version 2)
>>>>> * Security Permissions Check for
>>>>> CN=Configuration,DC=mycompany,DC=com
>>>>> (Configuration,Version 2)
>>>>> * Security Permissions Check for
>>>>> DC=mycompany,DC=com
>>>>> (Domain,Version 2)
>>>>> ......................... rpdc04 passed test NCSecDesc
>>>>> Starting test: NetLogons
>>>>> * Network Logons Privileges Check
>>>>> Verified share \\rpdc04\netlogon
>>>>> Verified share \\rpdc04\sysvol
>>>>> ......................... rpdc04 passed test NetLogons
>>>>> Starting test: Advertising
>>>>> The DC rpdc04 is advertising itself as a DC and having a DS.
>>>>> The DC rpdc04 is advertising as an LDAP server
>>>>> The DC rpdc04 is advertising as having a writeable directory
>>>>> The DC rpdc04 is advertising as a Key Distribution Center
>>>>> The DC rpdc04 is advertising as a time server
>>>>> The DS rpdc04 is advertising as a GC.
>>>>> ......................... rpdc04 passed test Advertising
>>>>> Starting test: KnowsOfRoleHolders
>>>>> Role Schema Owner = CN=NTDS
>>>>> Settings,CN=rpdc03,CN=Servers,CN=RHO,CN=Sites,CN=Configurati on,DC=
>>>>> my
>>>>> co
>>>>> mpany,DC=com
>>>>> Role Domain Owner = CN=NTDS
>>>>> Settings,CN=rpdc03,CN=Servers,CN=RHO,CN=Sites,CN=Configurati on,DC=
>>>>> my
>>>>> co
>>>>> mpany,DC=com
>>>>> Role PDC Owner = CN=NTDS
>>>>> Settings,CN=rpdc03,CN=Servers,CN=RHO,CN=Sites,CN=Configurati on,DC=
>>>>> my
>>>>> co
>>>>> mpany,DC=com
>>>>> Role Rid Owner = CN=NTDS
>>>>> Settings,CN=rpdc03,CN=Servers,CN=RHO,CN=Sites,CN=Configurati on,DC=
>>>>> my
>>>>> co
>>>>> mpany,DC=com
>>>>> Role Infrastructure Update Owner = CN=NTDS
>>>>> Settings,CN=rpdc03,CN=Servers,CN=RHO,CN=Sites,CN=Configurati on,DC=
>>>>> my
>>>>> co
>>>>> mpany,DC=com
>>>>> ......................... rpdc04 passed test
>>>>> KnowsOfRoleHolders
>>>>> Starting test: RidManager
>>>>> * Available RID Pool for the Domain is 22603 to 1073741823
>>>>> * rpdc03.mycompany.com is the RID Master
>>>>> * DsBind with RID Master was successful
>>>>> * rIDAllocationPool is 20103 to 20602
>>>>> * rIDPreviousAllocationPool is 20103 to 20602
>>>>> * rIDNextRID: 20266
>>>>> ......................... rpdc04 passed test RidManager
>>>>> Starting test: MachineAccount
>>>>> Checking machine account for DC rpdc04 on DC rpdc04.
>>>>> * SPN found :LDAP/rpdc04.mycompany.com/mycompany.com
>>>>> * SPN found :LDAP/rpdc04.mycompany.com
>>>>> * SPN found :LDAP/rpdc04
>>>>> * SPN found :LDAP/rpdc04.mycompany.com/mycompany
>>>>> * SPN found
>>>>> :LDAP/25671f81-8b4c-404c-991f-e5ae1eb35d62._msdcs.mycompany. com
>>>>> * SPN found
>>>>> :E3514235-4B06-11D1-AB04-00C04FC2DCD2/25671f81-8b4c-404c-991 f-e5ae
>>>>> 1e
>>>>> b3
>>>>> 5d62/mycompany.com
>>>>> * SPN found :HOST/rpdc04.mycompany.com/mycompany.com
>>>>> * SPN found :HOST/rpdc04.mycompany.com
>>>>> * SPN found :HOST/rpdc04
>>>>> * SPN found :HOST/rpdc04.mycompany.com/mycompany
>>>>> * SPN found :GC/rpdc04.mycompany.com/mycompany.com
>>>>> ......................... rpdc04 passed test MachineAccount
>>>>> Starting test: Services
>>>>> * Checking Service: Dnscache
>>>>> * Checking Service: NtFrs
>>>>> * Checking Service: IsmServ
>>>>> * Checking Service: kdc
>>>>> * Checking Service: SamSs
>>>>> * Checking Service: LanmanServer
>>>>> * Checking Service: LanmanWorkstation
>>>>> * Checking Service: RpcSs
>>>>> * Checking Service: w32time
>>>>> * Checking Service: NETLOGON
>>>>> ......................... rpdc04 passed test Services
>>>>> Test omitted by user request: OutboundSecureChannels
>>>>> Starting test: ObjectsReplicated
>>>>> rpdc04 is in domain DC=mycompany,DC=com
>>>>> Checking for CN=rpdc04,OU=Domain
Re: Access Denied error while edit some of the GPOs in Windows 200 [message #412827 is a reply to message #412796] Tue, 16 March 2010 03:31 Go to previous messageGo to next message
Laljeev  is currently offline Laljeev
Messages: 16
Registered: October 2009
Junior Member
Hi

We took system state back from a working DC, where all roles are installed.
Then using dcpromo /adv command promoted the new DC.

Below are results from repadmin from each DCs

---------
----dco3 output----



repadmin running command /showrepl against server localhost



RHO\dc03

DC Options: IS_GC

Site Options: (none)

DC object GUID: c3a73c12-ffd0-478a-b13a-8e522ef33480

DC invocationID: 0c0e7c99-ee98-4f22-b3a9-f5b0e841c29b



==== INBOUND NEIGHBORS ======================================



DC=mycomp,DC=com

RHO\dc04 via RPC

DC object GUID: 25671f81-8b4c-404c-991f-e5ae1eb35d62

Last attempt @ 2010-03-16 12:05:45 was successful.



CN=Configuration,DC=mycomp,DC=com

RHO\dc04 via RPC

DC object GUID: 25671f81-8b4c-404c-991f-e5ae1eb35d62

Last attempt @ 2010-03-16 12:05:45 was successful.



CN=Schema,CN=Configuration,DC=mycomp,DC=com

RHO\dc04 via RPC

DC object GUID: 25671f81-8b4c-404c-991f-e5ae1eb35d62

Last attempt @ 2010-03-16 12:05:45 was successful.



DC=DomainDnsZones,DC=mycomp,DC=com

RHO\dc04 via RPC

DC object GUID: 25671f81-8b4c-404c-991f-e5ae1eb35d62

Last attempt @ 2010-03-16 12:05:45 was successful.



DC=ForestDnsZones,DC=mycomp,DC=com

RHO\dc04 via RPC

DC object GUID: 25671f81-8b4c-404c-991f-e5ae1eb35d62

Last attempt @ 2010-03-16 12:05:45 was successful.


-----dc04 output----




repadmin running command /showrepl against server localhost



RHO\dc04

DC Options: IS_GC

Site Options: (none)

DC object GUID: 25671f81-8b4c-404c-991f-e5ae1eb35d62

DC invocationID: 402b9c2f-63e3-4bd4-9dfe-0c079a6fca57



==== INBOUND NEIGHBORS ======================================



DC=mycomp,DC=com

DAM\bdc01 via RPC

DC object GUID: d0589f5b-3879-4ed9-b94c-db6d0b33b0af

Last attempt @ 2010-03-16 12:02:29 was successful.

RHO\dc03 via RPC

DC object GUID: c3a73c12-ffd0-478a-b13a-8e522ef33480

Last attempt @ 2010-03-16 12:11:04 was successful.



CN=Configuration,DC=mycomp,DC=com

RHO\dc03 via RPC

DC object GUID: c3a73c12-ffd0-478a-b13a-8e522ef33480

Last attempt @ 2010-03-16 12:02:29 was successful.

DAM\bdc01 via RPC

DC object GUID: d0589f5b-3879-4ed9-b94c-db6d0b33b0af

Last attempt @ 2010-03-16 12:02:29 was successful.



CN=Schema,CN=Configuration,DC=mycomp,DC=com

RHO\dc03 via RPC

DC object GUID: c3a73c12-ffd0-478a-b13a-8e522ef33480

Last attempt @ 2010-03-16 12:02:29 was successful.

DAM\bdc01 via RPC

DC object GUID: d0589f5b-3879-4ed9-b94c-db6d0b33b0af

Last attempt @ 2010-03-16 12:02:29 was successful.



DC=DomainDnsZones,DC=mycomp,DC=com

RHO\dc03 via RPC

DC object GUID: c3a73c12-ffd0-478a-b13a-8e522ef33480

Last attempt @ 2010-03-16 12:02:29 was successful.

DAM\bdc01 via RPC

DC object GUID: d0589f5b-3879-4ed9-b94c-db6d0b33b0af

Last attempt @ 2010-03-16 12:02:30 was successful.



DC=ForestDnsZones,DC=mycomp,DC=com

RHO\dc03 via RPC

DC object GUID: c3a73c12-ffd0-478a-b13a-8e522ef33480

Last attempt @ 2010-03-16 12:02:29 was successful.

DAM\bdc01 via RPC

DC object GUID: d0589f5b-3879-4ed9-b94c-db6d0b33b0af

Last attempt @ 2010-03-16 12:02:30 was successful.

---From BDc01---

repadmin running command /showrepl against server localhost



DAM\bdc01

DC Options: IS_GC

Site Options: (none)

DC object GUID: d0589f5b-3879-4ed9-b94c-db6d0b33b0af

DC invocationID: 3c658661-677a-4a29-821f-0e00ba288862



==== INBOUND NEIGHBORS ======================================



DC=mycomp,DC=com

RHO\dc04 via RPC

DC object GUID: 25671f81-8b4c-404c-991f-e5ae1eb35d62

Last attempt @ 2010-03-16 11:48:21 was successful.



CN=Configuration,DC=mycomp,DC=com

RHO\dc04 via RPC

DC object GUID: 25671f81-8b4c-404c-991f-e5ae1eb35d62

Last attempt @ 2010-03-16 11:48:20 was successful.



CN=Schema,CN=Configuration,DC=mycomp,DC=com

RHO\dc04 via RPC

DC object GUID: 25671f81-8b4c-404c-991f-e5ae1eb35d62

Last attempt @ 2010-03-16 11:48:20 was successful.



DC=DomainDnsZones,DC=mycomp,DC=com

RHO\dc04 via RPC

DC object GUID: 25671f81-8b4c-404c-991f-e5ae1eb35d62

Last attempt @ 2010-03-16 11:48:21 was successful.



DC=ForestDnsZones,DC=mycomp,DC=com

RHO\dc04 via RPC

DC object GUID: 25671f81-8b4c-404c-991f-e5ae1eb35d62

Last attempt @ 2010-03-16 11:48:22 was successful.

-----

Regards
Lal
--
Server Management Team
Re: Access Denied error while edit some of the GPOs in Windows 200 [message #412832 is a reply to message #412827] Tue, 16 March 2010 03:50 Go to previous messageGo to next message
meiweb  is currently offline meiweb  Germany
Messages: 2225
Registered: September 2009
Senior Member
Hello Laljeev,

"We took system state back from a working DC, where all roles are installed.
Then using dcpromo /adv command promoted the new DC"

This is a not supported way of installing a DC, having FSMOs more then once
this way will result in problems.

What about DC2? Isn't it listed in AD sites and services and have all DCs
replicaiton connectors to the others?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hi
>
> We took system state back from a working DC, where all roles are
> installed. Then using dcpromo /adv command promoted the new DC.
>
> Below are results from repadmin from each DCs
>
> ---------
> ----dco3 output----
> repadmin running command /showrepl against server localhost
>
> RHO\dc03
>
> DC Options: IS_GC
>
> Site Options: (none)
>
> DC object GUID: c3a73c12-ffd0-478a-b13a-8e522ef33480
>
> DC invocationID: 0c0e7c99-ee98-4f22-b3a9-f5b0e841c29b
>
> ==== INBOUND NEIGHBORS ======================================
>
> DC=mycomp,DC=com
>
> RHO\dc04 via RPC
>
> DC object GUID: 25671f81-8b4c-404c-991f-e5ae1eb35d62
>
> Last attempt @ 2010-03-16 12:05:45 was successful.
>
> CN=Configuration,DC=mycomp,DC=com
>
> RHO\dc04 via RPC
>
> DC object GUID: 25671f81-8b4c-404c-991f-e5ae1eb35d62
>
> Last attempt @ 2010-03-16 12:05:45 was successful.
>
> CN=Schema,CN=Configuration,DC=mycomp,DC=com
>
> RHO\dc04 via RPC
>
> DC object GUID: 25671f81-8b4c-404c-991f-e5ae1eb35d62
>
> Last attempt @ 2010-03-16 12:05:45 was successful.
>
> DC=DomainDnsZones,DC=mycomp,DC=com
>
> RHO\dc04 via RPC
>
> DC object GUID: 25671f81-8b4c-404c-991f-e5ae1eb35d62
>
> Last attempt @ 2010-03-16 12:05:45 was successful.
>
> DC=ForestDnsZones,DC=mycomp,DC=com
>
> RHO\dc04 via RPC
>
> DC object GUID: 25671f81-8b4c-404c-991f-e5ae1eb35d62
>
> Last attempt @ 2010-03-16 12:05:45 was successful.
>
> -----dc04 output----
>
> repadmin running command /showrepl against server localhost
>
> RHO\dc04
>
> DC Options: IS_GC
>
> Site Options: (none)
>
> DC object GUID: 25671f81-8b4c-404c-991f-e5ae1eb35d62
>
> DC invocationID: 402b9c2f-63e3-4bd4-9dfe-0c079a6fca57
>
> ==== INBOUND NEIGHBORS ======================================
>
> DC=mycomp,DC=com
>
> DAM\bdc01 via RPC
>
> DC object GUID: d0589f5b-3879-4ed9-b94c-db6d0b33b0af
>
> Last attempt @ 2010-03-16 12:02:29 was successful.
>
> RHO\dc03 via RPC
>
> DC object GUID: c3a73c12-ffd0-478a-b13a-8e522ef33480
>
> Last attempt @ 2010-03-16 12:11:04 was successful.
>
> CN=Configuration,DC=mycomp,DC=com
>
> RHO\dc03 via RPC
>
> DC object GUID: c3a73c12-ffd0-478a-b13a-8e522ef33480
>
> Last attempt @ 2010-03-16 12:02:29 was successful.
>
> DAM\bdc01 via RPC
>
> DC object GUID: d0589f5b-3879-4ed9-b94c-db6d0b33b0af
>
> Last attempt @ 2010-03-16 12:02:29 was successful.
>
> CN=Schema,CN=Configuration,DC=mycomp,DC=com
>
> RHO\dc03 via RPC
>
> DC object GUID: c3a73c12-ffd0-478a-b13a-8e522ef33480
>
> Last attempt @ 2010-03-16 12:02:29 was successful.
>
> DAM\bdc01 via RPC
>
> DC object GUID: d0589f5b-3879-4ed9-b94c-db6d0b33b0af
>
> Last attempt @ 2010-03-16 12:02:29 was successful.
>
> DC=DomainDnsZones,DC=mycomp,DC=com
>
> RHO\dc03 via RPC
>
> DC object GUID: c3a73c12-ffd0-478a-b13a-8e522ef33480
>
> Last attempt @ 2010-03-16 12:02:29 was successful.
>
> DAM\bdc01 via RPC
>
> DC object GUID: d0589f5b-3879-4ed9-b94c-db6d0b33b0af
>
> Last attempt @ 2010-03-16 12:02:30 was successful.
>
> DC=ForestDnsZones,DC=mycomp,DC=com
>
> RHO\dc03 via RPC
>
> DC object GUID: c3a73c12-ffd0-478a-b13a-8e522ef33480
>
> Last attempt @ 2010-03-16 12:02:29 was successful.
>
> DAM\bdc01 via RPC
>
> DC object GUID: d0589f5b-3879-4ed9-b94c-db6d0b33b0af
>
> Last attempt @ 2010-03-16 12:02:30 was successful.
>
> ---From BDc01---
>
> repadmin running command /showrepl against server localhost
>
> DAM\bdc01
>
> DC Options: IS_GC
>
> Site Options: (none)
>
> DC object GUID: d0589f5b-3879-4ed9-b94c-db6d0b33b0af
>
> DC invocationID: 3c658661-677a-4a29-821f-0e00ba288862
>
> ==== INBOUND NEIGHBORS ======================================
>
> DC=mycomp,DC=com
>
> RHO\dc04 via RPC
>
> DC object GUID: 25671f81-8b4c-404c-991f-e5ae1eb35d62
>
> Last attempt @ 2010-03-16 11:48:21 was successful.
>
> CN=Configuration,DC=mycomp,DC=com
>
> RHO\dc04 via RPC
>
> DC object GUID: 25671f81-8b4c-404c-991f-e5ae1eb35d62
>
> Last attempt @ 2010-03-16 11:48:20 was successful.
>
> CN=Schema,CN=Configuration,DC=mycomp,DC=com
>
> RHO\dc04 via RPC
>
> DC object GUID: 25671f81-8b4c-404c-991f-e5ae1eb35d62
>
> Last attempt @ 2010-03-16 11:48:20 was successful.
>
> DC=DomainDnsZones,DC=mycomp,DC=com
>
> RHO\dc04 via RPC
>
> DC object GUID: 25671f81-8b4c-404c-991f-e5ae1eb35d62
>
> Last attempt @ 2010-03-16 11:48:21 was successful.
>
> DC=ForestDnsZones,DC=mycomp,DC=com
>
> RHO\dc04 via RPC
>
> DC object GUID: 25671f81-8b4c-404c-991f-e5ae1eb35d62
>
> Last attempt @ 2010-03-16 11:48:22 was successful.
>
> -----
>
> Regards
> Lal
Re: Access Denied error while edit some of the GPOs in Windows 200 [message #412855 is a reply to message #412832] Tue, 16 March 2010 04:59 Go to previous messageGo to next message
Laljeev M  is currently offline Laljeev M
Messages: 33
Registered: August 2009
Member
Hi Meinolf

We have 3 sites

in Site01 we have 2 Dcs (dc03 & Dc04), in DC03 installed all FSMO roles,
replication enabled between 03 & 04

Site 02, we have 1 Dc (bdc01), replication between dc04 & bdc01 eabled. We
restored bdc01 from Dc03's backup

Site03 has 1 Dc, which failed due to hardware issue

We run GPOTOOL.exe and found mismatches for those GPOs in SYSVOL between
those 3 DCs and we face issues only for those GPOs. We can see mismatches
between Dc03 & Dc04 and for some GPOs mismatch between Dc04 & Bdc01.

Can you help me to resolve this

Regards
Lal
--
----Server Management Team----


"Meinolf Weber [MVP-DS]" wrote:

> Hello Laljeev,
>
> "We took system state back from a working DC, where all roles are installed.
> Then using dcpromo /adv command promoted the new DC"
>
> This is a not supported way of installing a DC, having FSMOs more then once
> this way will result in problems.
>
> What about DC2? Isn't it listed in AD sites and services and have all DCs
> replicaiton connectors to the others?
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
> > Hi
> >
> > We took system state back from a working DC, where all roles are
> > installed. Then using dcpromo /adv command promoted the new DC.
> >
> > Below are results from repadmin from each DCs
> >
> > ---------
> > ----dco3 output----
> > repadmin running command /showrepl against server localhost
> >
> > RHO\dc03
> >
> > DC Options: IS_GC
> >
> > Site Options: (none)
> >
> > DC object GUID: c3a73c12-ffd0-478a-b13a-8e522ef33480
> >
> > DC invocationID: 0c0e7c99-ee98-4f22-b3a9-f5b0e841c29b
> >
> > ==== INBOUND NEIGHBORS ======================================
> >
> > DC=mycomp,DC=com
> >
> > RHO\dc04 via RPC
> >
> > DC object GUID: 25671f81-8b4c-404c-991f-e5ae1eb35d62
> >
> > Last attempt @ 2010-03-16 12:05:45 was successful.
> >
> > CN=Configuration,DC=mycomp,DC=com
> >
> > RHO\dc04 via RPC
> >
> > DC object GUID: 25671f81-8b4c-404c-991f-e5ae1eb35d62
> >
> > Last attempt @ 2010-03-16 12:05:45 was successful.
> >
> > CN=Schema,CN=Configuration,DC=mycomp,DC=com
> >
> > RHO\dc04 via RPC
> >
> > DC object GUID: 25671f81-8b4c-404c-991f-e5ae1eb35d62
> >
> > Last attempt @ 2010-03-16 12:05:45 was successful.
> >
> > DC=DomainDnsZones,DC=mycomp,DC=com
> >
> > RHO\dc04 via RPC
> >
> > DC object GUID: 25671f81-8b4c-404c-991f-e5ae1eb35d62
> >
> > Last attempt @ 2010-03-16 12:05:45 was successful.
> >
> > DC=ForestDnsZones,DC=mycomp,DC=com
> >
> > RHO\dc04 via RPC
> >
> > DC object GUID: 25671f81-8b4c-404c-991f-e5ae1eb35d62
> >
> > Last attempt @ 2010-03-16 12:05:45 was successful.
> >
> > -----dc04 output----
> >
> > repadmin running command /showrepl against server localhost
> >
> > RHO\dc04
> >
> > DC Options: IS_GC
> >
> > Site Options: (none)
> >
> > DC object GUID: 25671f81-8b4c-404c-991f-e5ae1eb35d62
> >
> > DC invocationID: 402b9c2f-63e3-4bd4-9dfe-0c079a6fca57
> >
> > ==== INBOUND NEIGHBORS ======================================
> >
> > DC=mycomp,DC=com
> >
> > DAM\bdc01 via RPC
> >
> > DC object GUID: d0589f5b-3879-4ed9-b94c-db6d0b33b0af
> >
> > Last attempt @ 2010-03-16 12:02:29 was successful.
> >
> > RHO\dc03 via RPC
> >
> > DC object GUID: c3a73c12-ffd0-478a-b13a-8e522ef33480
> >
> > Last attempt @ 2010-03-16 12:11:04 was successful.
> >
> > CN=Configuration,DC=mycomp,DC=com
> >
> > RHO\dc03 via RPC
> >
> > DC object GUID: c3a73c12-ffd0-478a-b13a-8e522ef33480
> >
> > Last attempt @ 2010-03-16 12:02:29 was successful.
> >
> > DAM\bdc01 via RPC
> >
> > DC object GUID: d0589f5b-3879-4ed9-b94c-db6d0b33b0af
> >
> > Last attempt @ 2010-03-16 12:02:29 was successful.
> >
> > CN=Schema,CN=Configuration,DC=mycomp,DC=com
> >
> > RHO\dc03 via RPC
> >
> > DC object GUID: c3a73c12-ffd0-478a-b13a-8e522ef33480
> >
> > Last attempt @ 2010-03-16 12:02:29 was successful.
> >
> > DAM\bdc01 via RPC
> >
> > DC object GUID: d0589f5b-3879-4ed9-b94c-db6d0b33b0af
> >
> > Last attempt @ 2010-03-16 12:02:29 was successful.
> >
> > DC=DomainDnsZones,DC=mycomp,DC=com
> >
> > RHO\dc03 via RPC
> >
> > DC object GUID: c3a73c12-ffd0-478a-b13a-8e522ef33480
> >
> > Last attempt @ 2010-03-16 12:02:29 was successful.
> >
> > DAM\bdc01 via RPC
> >
> > DC object GUID: d0589f5b-3879-4ed9-b94c-db6d0b33b0af
> >
> > Last attempt @ 2010-03-16 12:02:30 was successful.
> >
> > DC=ForestDnsZones,DC=mycomp,DC=com
> >
> > RHO\dc03 via RPC
> >
> > DC object GUID: c3a73c12-ffd0-478a-b13a-8e522ef33480
> >
> > Last attempt @ 2010-03-16 12:02:29 was successful.
> >
> > DAM\bdc01 via RPC
> >
> > DC object GUID: d0589f5b-3879-4ed9-b94c-db6d0b33b0af
> >
> > Last attempt @ 2010-03-16 12:02:30 was successful.
> >
> > ---From BDc01---
> >
> > repadmin running command /showrepl against server localhost
> >
> > DAM\bdc01
> >
> > DC Options: IS_GC
> >
> > Site Options: (none)
> >
> > DC object GUID: d0589f5b-3879-4ed9-b94c-db6d0b33b0af
> >
> > DC invocationID: 3c658661-677a-4a29-821f-0e00ba288862
> >
> > ==== INBOUND NEIGHBORS ======================================
> >
> > DC=mycomp,DC=com
> >
> > RHO\dc04 via RPC
> >
> > DC object GUID: 25671f81-8b4c-404c-991f-e5ae1eb35d62
> >
> > Last attempt @ 2010-03-16 11:48:21 was successful.
> >
> > CN=Configuration,DC=mycomp,DC=com
> >
> > RHO\dc04 via RPC
> >
> > DC object GUID: 25671f81-8b4c-404c-991f-e5ae1eb35d62
> >
> > Last attempt @ 2010-03-16 11:48:20 was successful.
> >
> > CN=Schema,CN=Configuration,DC=mycomp,DC=com
> >
> > RHO\dc04 via RPC
> >
> > DC object GUID: 25671f81-8b4c-404c-991f-e5ae1eb35d62
> >
> > Last attempt @ 2010-03-16 11:48:20 was successful.
> >
> > DC=DomainDnsZones,DC=mycomp,DC=com
> >
> > RHO\dc04 via RPC
> >
> > DC object GUID: 25671f81-8b4c-404c-991f-e5ae1eb35d62
> >
> > Last attempt @ 2010-03-16 11:48:21 was successful.
> >
> > DC=ForestDnsZones,DC=mycomp,DC=com
> >
> > RHO\dc04 via RPC
> >
> > DC object GUID: 25671f81-8b4c-404c-991f-e5ae1eb35d62
> >
> > Last attempt @ 2010-03-16 11:48:22 was successful.
> >
> > -----
> >
> > Regards
> > Lal
>
>
> .
>
Re: Access Denied error while edit some of the GPOs in Windows 200 [message #413473 is a reply to message #412855] Tue, 16 March 2010 20:01 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Laljeev M" <news08@nospam.nospam> wrote in message news:65F1A611-66B9-4401-8648-EB3F3045F06A@microsoft.com...
> Hi Meinolf
>
> We have 3 sites
>
> in Site01 we have 2 Dcs (dc03 & Dc04), in DC03 installed all FSMO roles,
> replication enabled between 03 & 04
>
> Site 02, we have 1 Dc (bdc01), replication between dc04 & bdc01 eabled. We
> restored bdc01 from Dc03's backup
>
> Site03 has 1 Dc, which failed due to hardware issue
>
> We run GPOTOOL.exe and found mismatches for those GPOs in SYSVOL between
> those 3 DCs and we face issues only for those GPOs. We can see mismatches
> between Dc03 & Dc04 and for some GPOs mismatch between Dc04 & Bdc01.
>
> Can you help me to resolve this
>
> Regards
> Lal
>

A mismatch indicates a replication issue. Post the eventID# for the errors you see in all of your DCs, please.

Sometimes you can go into the older DC and edit the GPO, just change something, and it should sync up making them match again. If that doesn'twork, then it is definitely back to a replication issue. This could be also due to a DNS misconfiguration.

However, what complicates trying to tech support this issue is the way you did it. You restored a DC with a system state that introduced an older DC that is holding a FSMO role being held by another DC. I'm willing to bet that the restored DC is holding the PDC Emulator role which is being held by another.

How old and how long offline was that DC's backup that you used to restore? Was a role seizure performed?

Also, run the following from each DC. Please post the results from each. I'm curious what each DC role thinks each holds.
netdom query fsmo

In addition, please post an ipconfig /all from each DC.

Thank you,

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among responding engineers, and to help others benefit from your resolution.

Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

If you feel this is an urgent issue and require immediate assistance, please contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers.
Re: Access Denied error while edit some of the GPOs in Windows 200 [message #413566 is a reply to message #413473] Tue, 16 March 2010 22:27 Go to previous messageGo to next message
Laljeev  is currently offline Laljeev
Messages: 16
Registered: October 2009
Junior Member
Hi Ace

> A mismatch indicates a replication issue. Post the eventID# for the errors you see in all of your DCs, please.

No logs are generated in any of these 3 DCs, some logs are there in Dc04
which because of the failed DC

> Sometimes you can go into the older DC and edit the GPO, just change something, and it should sync up making them match again. If that doesn'twork, then it is definitely back to a replication issue. This could be also due to a DNS misconfiguration.

I tried to edit from 3 DCs, getting the same error. On both the DCs BDC01 &
DC04, even if connected to the same DCs while editing GPO it's showing GPO
from DC03, from DC03 I used GPMC and connected to BDC03, at that time we are
getting many other errors other than access denied error like

> However, what complicates trying to tech support this issue is the way you did it. You restored a DC with a system state that introduced an older DC that is holding a FSMO role being held by another DC. I'm willing to bet that the restored DC is holding the PDC Emulator role which is being held by another.
> How old and how long offline was that DC's backup that you used to restore? Was a role seizure performed?

No, I clearly mentioned that we took the system state backup of dc03 (which
is in production and in site01) and using this backup we promoted the other
DC (becuase this site02 was not replicating properly for many months, so we
demoted bdc01 and again promoted using dcpromo /adv). For last 2 or more
years everything was working fine, recently this behaviour started.
For testing purpose we created a txt file in SYSVOL of all these DCs and
it's not replicating properly. but the scripts or small files created in
created in \\Domain\netlogon is replicating properly.

> Also, run the following from each DC. Please post the results from each. I'm curious what each DC role thinks each holds.
> netdom query fsmo

All DCs showing fsmo roles are in DC03.

> In addition, please post an ipconfig /all from each DC.

DC03

C:\>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : dc03
Primary Dns Suffix . . . . . . . : mycomp.com
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : mycomp.com

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : mycomp.com
Description . . . . . . . . . . . : HP NC7781 Gigabit Server Adapter
Physical Address. . . . . . . . . : 00-0B-CD-F0-27-C9
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.80.1.44
Subnet Mask . . . . . . . . . . . : 255.255.252.0
Default Gateway . . . . . . . . . : 10.80.1.1
DNS Servers . . . . . . . . . . . : 10.80.1.44
10.80.1.45
NetBIOS over Tcpip. . . . . . . . : Disabled

DC04

C:\Documents and Settings\lmam>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : dc04
Primary Dns Suffix . . . . . . . : mycomp.com
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : mycomp.com

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : mycomp.com
Description . . . . . . . . . . . : HP NC7781 Gigabit Server Adapter
Physical Address. . . . . . . . . : 00-0D-9D-DC-3F-92
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.80.1.45
Subnet Mask . . . . . . . . . . . : 255.255.252.0
Default Gateway . . . . . . . . . : 10.80.1.1
DNS Servers . . . . . . . . . . . : 10.80.1.45
10.80.1.44
NetBIOS over Tcpip. . . . . . . . : Disabled


BDC01

C:\Documents and Settings\lmam>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : bdc01
Primary Dns Suffix . . . . . . . : mycomp.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : mycomp.com

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : HP NC3163 Fast Ethernet NIC
Physical Address. . . . . . . . . : 00-02-A5-ED-2C-8C
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.80.12.2
Subnet Mask . . . . . . . . . . . : 255.255.252.0
Default Gateway . . . . . . . . . : 10.80.12.9
DNS Servers . . . . . . . . . . . : 10.80.12.2
10.80.1.44
Primary WINS Server . . . . . . . : 10.80.12.2
Secondary WINS Server . . . . . . : 10.80.1.7
NetBIOS over Tcpip. . . . . . . . : Disabled

Regards
--
Server Management Team
Re: Access Denied error while edit some of the GPOs in Windows 200 [message #413654 is a reply to message #413566] Wed, 17 March 2010 02:53 Go to previous messageGo to next message
meiweb  is currently offline meiweb  Germany
Messages: 2225
Registered: September 2009
Senior Member
Hello Laljeev,

The ipconfig output seems to be ok. What's about DC2, will it come back?
If not you should remove it from AD database with ntdsutil. Also make sure
to use NOT another DCs system state backup for restoring DC2.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hi Ace
>
>> A mismatch indicates a replication issue. Post the eventID# for the
>> errors you see in all of your DCs, please.
>>
> No logs are generated in any of these 3 DCs, some logs are there in
> Dc04 which because of the failed DC
>
>> Sometimes you can go into the older DC and edit the GPO, just change
>> something, and it should sync up making them match again. If that
>> doesn'twork, then it is definitely back to a replication issue. This
>> could be also due to a DNS misconfiguration.
>>
> I tried to edit from 3 DCs, getting the same error. On both the DCs
> BDC01 & DC04, even if connected to the same DCs while editing GPO it's
> showing GPO from DC03, from DC03 I used GPMC and connected to BDC03,
> at that time we are getting many other errors other than access denied
> error like
>
>> However, what complicates trying to tech support this issue is the
>> way you did it. You restored a DC with a system state that introduced
>> an older DC that is holding a FSMO role being held by another DC. I'm
>> willing to bet that the restored DC is holding the PDC Emulator role
>> which is being held by another. How old and how long offline was that
>> DC's backup that you used to restore? Was a role seizure performed?
>>
> No, I clearly mentioned that we took the system state backup of dc03
> (which
> is in production and in site01) and using this backup we promoted the
> other
> DC (becuase this site02 was not replicating properly for many months,
> so we
> demoted bdc01 and again promoted using dcpromo /adv). For last 2 or
> more
> years everything was working fine, recently this behaviour started.
> For testing purpose we created a txt file in SYSVOL of all these DCs
> and
> it's not replicating properly. but the scripts or small files created
> in
> created in \\Domain\netlogon is replicating properly.
>> Also, run the following from each DC. Please post the results from
>> each. I'm curious what each DC role thinks each holds.
>>
>> netdom query fsmo
>>
> All DCs showing fsmo roles are in DC03.
>
>> In addition, please post an ipconfig /all from each DC.
>>
> DC03
>
> C:\>ipconfig /all
>
> Windows IP Configuration
>
> Host Name . . . . . . . . . . . . : dc03
> Primary Dns Suffix . . . . . . . : mycomp.com
> Node Type . . . . . . . . . . . . : Unknown
> IP Routing Enabled. . . . . . . . : No
> WINS Proxy Enabled. . . . . . . . : No
> DNS Suffix Search List. . . . . . : mycomp.com
> Ethernet adapter Local Area Connection:
>
> Connection-specific DNS Suffix . : mycomp.com
> Description . . . . . . . . . . . : HP NC7781 Gigabit Server
> Adapter
> Physical Address. . . . . . . . . : 00-0B-CD-F0-27-C9
> DHCP Enabled. . . . . . . . . . . : No
> IP Address. . . . . . . . . . . . : 10.80.1.44
> Subnet Mask . . . . . . . . . . . : 255.255.252.0
> Default Gateway . . . . . . . . . : 10.80.1.1
> DNS Servers . . . . . . . . . . . : 10.80.1.44
> 10.80.1.45
> NetBIOS over Tcpip. . . . . . . . : Disabled
> DC04
>
> C:\Documents and Settings\lmam>ipconfig /all
>
> Windows IP Configuration
>
> Host Name . . . . . . . . . . . . : dc04
> Primary Dns Suffix . . . . . . . : mycomp.com
> Node Type . . . . . . . . . . . . : Unknown
> IP Routing Enabled. . . . . . . . : No
> WINS Proxy Enabled. . . . . . . . : No
> DNS Suffix Search List. . . . . . : mycomp.com
> Ethernet adapter Local Area Connection:
>
> Connection-specific DNS Suffix . : mycomp.com
> Description . . . . . . . . . . . : HP NC7781 Gigabit Server
> Adapter
> Physical Address. . . . . . . . . : 00-0D-9D-DC-3F-92
> DHCP Enabled. . . . . . . . . . . : No
> IP Address. . . . . . . . . . . . : 10.80.1.45
> Subnet Mask . . . . . . . . . . . : 255.255.252.0
> Default Gateway . . . . . . . . . : 10.80.1.1
> DNS Servers . . . . . . . . . . . : 10.80.1.45
> 10.80.1.44
> NetBIOS over Tcpip. . . . . . . . : Disabled
> BDC01
>
> C:\Documents and Settings\lmam>ipconfig /all
>
> Windows IP Configuration
>
> Host Name . . . . . . . . . . . . : bdc01
> Primary Dns Suffix . . . . . . . : mycomp.com
> Node Type . . . . . . . . . . . . : Hybrid
> IP Routing Enabled. . . . . . . . : No
> WINS Proxy Enabled. . . . . . . . : No
> DNS Suffix Search List. . . . . . : mycomp.com
> Ethernet adapter Local Area Connection:
>
> Connection-specific DNS Suffix . :
> Description . . . . . . . . . . . : HP NC3163 Fast Ethernet NIC
> Physical Address. . . . . . . . . : 00-02-A5-ED-2C-8C
> DHCP Enabled. . . . . . . . . . . : No
> IP Address. . . . . . . . . . . . : 10.80.12.2
> Subnet Mask . . . . . . . . . . . : 255.255.252.0
> Default Gateway . . . . . . . . . : 10.80.12.9
> DNS Servers . . . . . . . . . . . : 10.80.12.2
> 10.80.1.44
> Primary WINS Server . . . . . . . : 10.80.12.2
> Secondary WINS Server . . . . . . : 10.80.1.7
> NetBIOS over Tcpip. . . . . . . . : Disabled
> Regards
>
Re: Access Denied error while edit some of the GPOs in Windows 200 [message #413763 is a reply to message #413654] Wed, 17 March 2010 06:50 Go to previous messageGo to next message
Laljeev M  is currently offline Laljeev M
Messages: 33
Registered: August 2009
Member
Dear Meinolf

We are planning install DC by next week, tell me how can we install a DC in
a remote location without systemstate backup?

As per MS article (http://support.microsoft.com/kb/290647) I modified SYSVOL
permissions on DCs and will check the GPOs later, do you have any suggestions
to resolve the issues?

Regards

--
----Server Management Team----


"Meinolf Weber [MVP-DS]" wrote:
Re: Access Denied error while edit some of the GPOs in Windows 200 [message #413769 is a reply to message #413763] Wed, 17 March 2010 07:05 Go to previous messageGo to next message
Meinolf Weber MVP-DS  is currently offline Meinolf Weber MVP-DS  Germany
Messages: 129
Registered: July 2009
Senior Member
Hello Laljeev,

What kind of connection do you have between the sites? If the bandwith between
the sites is to small install the DC in the main office, change the ip addresse
for the remote office and ship it there. For the GPO mismatch i think it
belongs to the previous installed DC from another machines system state which
also had the FSMO roles.

Which DC is having all GPOs and on which one you can access all of them?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Dear Meinolf
>
> We are planning install DC by next week, tell me how can we install a
> DC in a remote location without systemstate backup?
>
> As per MS article (http://support.microsoft.com/kb/290647) I modified
> SYSVOL permissions on DCs and will check the GPOs later, do you have
> any suggestions to resolve the issues?
>
> Regards
>
> "Meinolf Weber [MVP-DS]" wrote:
>
Re: Access Denied error while edit some of the GPOs in Windows 200 [message #413857 is a reply to message #413763] Wed, 17 March 2010 09:15 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Laljeev M" <news08@nospam.nospam> wrote in message news:B6C49739-5F79-464F-BD82-997D5CDAE8A5@microsoft.com...
> Dear Meinolf
>
> We are planning install DC by next week, tell me how can we install a DC in
> a remote location without systemstate backup?
>
> As per MS article (http://support.microsoft.com/kb/290647) I modified SYSVOL
> permissions on DCs and will check the GPOs later, do you have any suggestions
> to resolve the issues?
>
> Regards
>
> --
> ----Server Management Team----

I don't know why you are focusing on using a systemstate backup to install a DC??? That's the premise that caused your current issues.

You said that a DC was down for a couple of months. How long exactly is "a couple of months?" Is it more than 6 months (180 days)? If so, you can't restore a 2003 or newer DC beyond that time period because that is the TTL for all AD objects to get scavenged from the AD database. I would suggest to scrap that DC you installed, and follow Meinolf's suggestion to use ntdutil to perform a Metadata cleanup to remove it's reference. I would actually do that anyway, bring your systems back to the point before you restored that systemstate, and get a fresh start, and simply install a fresh copy of Windows and promote it as a new DC.

I agree with Meinolf to install and promote it locally, then ship it, if the line is slow. Or simply install a fresh copy of Windows server on the machine, set it up to allow RDP, ship it, remote in and promote it. Nothing to it. :-)

As for the ipconfigs, they look good, too. One thing I should mention about WINS. A WINS server must ONLY point to itself, with no other WINS addresses. This is because of the way WINS works regarding record ownerships. If you put another one in the WINS server ipconfig, the ownership attribute gets skewed. Setup WINS replication partners between your WINS servers. You can put two WINS servers addresses in any non-WINS server or workstation.

Ace
Re: Access Denied error while edit some of the GPOs in Windows 200 [message #414709 is a reply to message #413857] Thu, 18 March 2010 08:38 Go to previous messageGo to next message
Laljeev M  is currently offline Laljeev M
Messages: 33
Registered: August 2009
Member
Hi

Thanks for your responses.

Shall I do one thing.I will demote the DC Bdc01 from site02 snd will promote
it again to additional DC (not from systemstate backup), same will be done
for the other failed Dc.

Will it resolve the issues? After demoting the DC how to cleanup the SYSVOl
and other databases in that DC, because DHCP is running on that DC.

Regards
--
----Server Management Team----
Re: Access Denied error while edit some of the GPOs in Windows 200 [message #414720 is a reply to message #414709] Thu, 18 March 2010 08:46 Go to previous messageGo to next message
meiweb  is currently offline meiweb  Germany
Messages: 2225
Registered: September 2009
Senior Member
Hello Laljeev,

As i asked before, use one DC/DNS/GC which is complete uptodate with each
account, working GPOs etc. and make sure this can work alone for the domain,
just disconnect the other DCs for one day. If everything wokrs move the FSMO
roles to this one.

After still everything is working you can demote the not optimal installed
DCs and cleanup AD database if needed, then reinstall them and add them again
as DC the correct way. This option should guarantee that all new installed
DCs get the correct database information.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hi
>
> Thanks for your responses.
>
> Shall I do one thing.I will demote the DC Bdc01 from site02 snd will
> promote it again to additional DC (not from systemstate backup), same
> will be done for the other failed Dc.
>
> Will it resolve the issues? After demoting the DC how to cleanup the
> SYSVOl and other databases in that DC, because DHCP is running on that
> DC.
>
> Regards
>
Re: Access Denied error while edit some of the GPOs in Windows 200 [message #415189 is a reply to message #414709] Fri, 19 March 2010 00:52 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Laljeev M" <news08@nospam.nospam> wrote in message news:FB02B828-BDC2-4077-B4B8-2787E5B485C4@microsoft.com...
> Hi
>
> Thanks for your responses.
>
> Shall I do one thing.I will demote the DC Bdc01 from site02 snd will promote
> it again to additional DC (not from systemstate backup), same will be done
> for the other failed Dc.
>
> Will it resolve the issues? After demoting the DC how to cleanup the SYSVOl
> and other databases in that DC, because DHCP is running on that DC.
>
> Regards
> --
> ----Server Management Team----
>
>


First, I agree with Meinold that to make sure that the old DCs are no longer referenced in the AD database by running the Metadata cleanup procedure outlined in:
http://support.microsoft.com/kb/216498

Then actually, I would suggest before you promote anything else to a DC, let's work on straightening out the Sysvol issue. Let us know if the metadata cleanup works before moving forward.

Ace
Re: Access Denied error while edit some of the GPOs in Windows 200 [message #418933 is a reply to message #415189] Wed, 24 March 2010 12:02 Go to previous messageGo to next message
Laljeev M  is currently offline Laljeev M
Messages: 33
Registered: August 2009
Member
Hi All

We removed the DC from the 2nd site and also removed all the occurences of
the removed DC from AD, DNS. Even before this we noticed one thing,
immediately after restarting the DC we can able to edit all GPOs. Same is
happening after removing the DC from 2nd site. Clearly speaking, immediately
after restarting the DC we are able to edit all GPOs (which includes default
Domain Policy), but after some time again facing the same issue.

Also we moved the PDC role to the 2nd node, then for some time we can able
to edit the GPOs, but the issue repeats. Later we moved back the PDC to same
DC. Currently we have only one site with 2 DCs, all FSMO roles in 1 DC and
DHCP configured in 2 nd DC.

Can you help us

Regards
Lal
----Server Management Team----
Re: Access Denied error while edit some of the GPOs in Windows 200 [message #419323 is a reply to message #418933] Wed, 24 March 2010 22:54 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Laljeev M" <news08@nospam.nospam> wrote in message news:C51D241C-34F0-43BF-A0F2-83B453CE30E2@microsoft.com...
> Hi All
>
> We removed the DC from the 2nd site and also removed all the occurences of
> the removed DC from AD, DNS. Even before this we noticed one thing,
> immediately after restarting the DC we can able to edit all GPOs. Same is
> happening after removing the DC from 2nd site. Clearly speaking, immediately
> after restarting the DC we are able to edit all GPOs (which includes default
> Domain Policy), but after some time again facing the same issue.
>
> Also we moved the PDC role to the 2nd node, then for some time we can able
> to edit the GPOs, but the issue repeats. Later we moved back the PDC to same
> DC. Currently we have only one site with 2 DCs, all FSMO roles in 1 DC and
> DHCP configured in 2 nd DC.
>
> Can you help us
>
> Regards
> Lal
> ----Server Management Team----
>


Apparently we are making some headway. It appears there is a communication problem to the server holding the PDC Emulator role. Run "netdom query fsmo" on each server, and post the results.

Give us an updated ipconfig /all, too, please.

Are you still seeing the mismatched error message?

Anything new in the Event logs? Please post any new errors or old errors, if you are still getting them.


--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among responding engineers, and to help others benefit from your resolution.

Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

If you feel this is an urgent issue and require immediate assistance, please contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers.
Re: Access Denied error while edit some of the GPOs in Windows 200 [message #419424 is a reply to message #419323] Thu, 25 March 2010 05:10 Go to previous messageGo to next message
Laljeev M  is currently offline Laljeev M
Messages: 33
Registered: August 2009
Member
Hi Ace

Thanks for your help
1) For netdom both the servers giving same output as below

Schema owner pdc03.mycomp.com

Domain role owner pdc03.mycomp.com

PDC role pdc03.mycomp.com

RID pool manager pdc03.mycomp.com

Infrastructure owner pdc03.mycomp.com

2) Below are IPCONFIG output

Host Name . . . . . . . . . . . . :pdc03
Primary Dns Suffix . . . . . . . : mycomp.com
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : mycomp.com

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : mycomp.com
Description . . . . . . . . . . . : HP NC7781 Gigabit Server Adapter
Physical Address. . . . . . . . . : 00-0B-CD-F0-27-C9
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.80.1.44
Subnet Mask . . . . . . . . . . . : 255.255.252.0
Default Gateway . . . . . . . . . : 10.80.1.1
DNS Servers . . . . . . . . . . . : 10.80.1.44
10.80.1.45

Host Name . . . . . . . . . . . . :pdc04
Primary Dns Suffix . . . . . . . : mycomp.com
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : mycomp.com

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : mycomp.com
Description . . . . . . . . . . . : HP NC7781 Gigabit Server Adapter
Physical Address. . . . . . . . . : 00-0D-9D-DC-3F-92
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.80.1.45
Subnet Mask . . . . . . . . . . . : 255.255.252.0
Default Gateway . . . . . . . . . : 10.80.1.1
DNS Servers . . . . . . . . . . . : 10.80.1.45
10.80.1.44
NetBIOS over Tcpip. . . . . . . . : Disabled

3) From yesterday in PDC03 we are getting errors (1030 & 1058) only on PDC03
as below

Windows cannot access the file gpt.ini for GPO
cn={BEB01D8A-FE42-4B03-B96A-CF6F631782A0},cn=policies,cn=sys tem,DC=MYSAGIA,DC=GOV.
The file must be present at the location
< \\mycomp.com\SysVol\mycomp.com\Policies\{BEB01D8A-FE42-4B03- B96A-CF6F631782A0}\gpt.ini >. (Access is denied. ). Group Policy processing aborted.

user SYSTEM

after remiving this GPO, which is applied at site level, started getting
another error as below for another GPO

Windows cannot access the file gpt.ini for GPO
cn={526D7832-E621-4717-956A-C4EA12787AC5},cn=policies,cn=sys tem,DC=MYSAGIA,DC=GOV.
The file must be present at the location
< \\mycomp.com\SysVol\mycomp.com\Policies\{526D7832-E621-4717- 956A-C4EA12787AC5}\gpt.ini >. (Access is denied. ). Group Policy processing aborted.

user System

4) Below is Gpotool.exe output from pdc03


Validating DCs...
Available DCs:
pdc03.mycomp.com
pdc04.mycomp.com
Searching for policies...
Found 32 policies
============================================================
Policy {15F97E0D-396B-4912-A930-0F26F133BA34}
Friendly name: Add _techSupportDAM to local Admin except servers & syseng
Policy OK
============================================================
Policy {1B7E43CF-7B3C-4A19-B576-5A05D6C65873}
Friendly name: Disable SUS client
Policy OK
============================================================
Policy {25894A7F-3983-47B7-83CB-AE4061193691}
Friendly name: SCCM Agent Installtion - Logon Script
Policy OK
============================================================
Policy {31B2F340-016D-11D2-945F-00C04FB984F9}
Error: Version mismatch on pdc03.mycomp.com, DS=262248, sysvol=262228
Friendly name: Default Domain Policy
Details:
------------------------------------------------------------
DC: pdc03.mycomp.com
Friendly name: Default Domain Policy
Created: 5/4/2002 12:30:23 PM
Changed: 3/25/2010 9:55:08 AM
DS version: 4(user) 104(machine)
Sysvol version: 4(user) 84(machine)
Flags: 0 (user side enabled; machine side enabled)
User extensions:
[{3060E8D0-7020-11D2-842D-00C04FA372D4}{3060E8CE-7020-11D2-8 42D-00C04FA372D4}][{A2E30F80-D7DE-11D2-BBDE-00C04F86AE3B}{FC 715823-C5FB-11D1-9EEF-00A0C90347FF}]
Machine extensions:
[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957D-509E-11D1-A 7CC-0000F87571E3}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}{53D6 AB1D-2488-11D1-A28C-00C04FB94F17}][{827D319E-6EAC-11D2-A4EA- 00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}][{B1BE8D 72-6EAC-11D2-A4EA-00C04F79F83A}{53D6AB1B-2488-11D1-A28C-00C0 4FB94F17}{53D6AB1D-2488-11D1-A28C-00C04FB94F17}]
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: pdc04.mycomp.com
Friendly name: Default Domain Policy
Created: 5/4/2002 12:30:23 PM
Changed: 3/25/2010 9:55:24 AM
DS version: 4(user) 104(machine)
Sysvol version: 4(user) 104(machine)
Flags: 0 (user side enabled; machine side enabled)
User extensions:
[{3060E8D0-7020-11D2-842D-00C04FA372D4}{3060E8CE-7020-11D2-8 42D-00C04FA372D4}][{A2E30F80-D7DE-11D2-BBDE-00C04F86AE3B}{FC 715823-C5FB-11D1-9EEF-00A0C90347FF}]
Machine extensions:
[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957D-509E-11D1-A 7CC-0000F87571E3}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}{53D6 AB1D-2488-11D1-A28C-00C04FB94F17}][{827D319E-6EAC-11D2-A4EA- 00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}][{B1BE8D 72-6EAC-11D2-A4EA-00C04F79F83A}{53D6AB1B-2488-11D1-A28C-00C0 4FB94F17}{53D6AB1D-2488-11D1-A28C-00C04FB94F17}]
Functionality version: 2
------------------------------------------------------------
============================================================
Policy {42174B77-B2A7-43BC-973B-AAEB2CBBC353}
Friendly name: modify IE home page to MYSAGIA & Bypass proxy enabled
Policy OK
============================================================
Policy {4DAF3660-DE8F-48A6-B267-9FFC8A9397F5}
Friendly name: Windows XP SP2 Firewall settings
Error: pdc03.mycomp.com - pdc04.mycomp.com sysvol mismatch
Details:
------------------------------------------------------------
DC: pdc03.mycomp.com
Friendly name: Windows XP SP2 Firewall settings
Created: 9/7/2004 5:50:50 AM
Changed: 10/22/2008 12:10:52 PM
DS version: 0(user) 26(machine)
Sysvol version: 0(user) 26(machine)
Flags: 0 (user side enabled; machine side enabled)
User extensions: not found
Machine extensions:
[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957D-509E-11D1-A 7CC-0000F87571E3}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{80 3E14A0-B4FB-11D0-A0D0-00A0C90F574B}]
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: pdc04.mycomp.com
Friendly name: Windows XP SP2 Firewall settings
Created: 9/7/2004 5:50:50 AM
Changed: 10/22/2008 12:11:36 PM
DS version: 0(user) 26(machine)
Sysvol version: 0(user) 26(machine)
Flags: 0 (user side enabled; machine side enabled)
User extensions: not found
Machine extensions:
[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957D-509E-11D1-A 7CC-0000F87571E3}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{80 3E14A0-B4FB-11D0-A0D0-00A0C90F574B}]
Functionality version: 2
------------------------------------------------------------
============================================================
Policy {526D7832-E621-4717-956A-C4EA12787AC5}
Friendly name: Enable Remote access features
Policy OK
============================================================
Policy {5525A7FF-996B-4EEB-BC01-9D588B088E71}
Friendly name: Add _techSupportRHO to local Admin except servers & syseng
Policy OK
============================================================
Policy {5D0C8DD1-CB4C-42FF-A0BB-AD336AED8E17}
Friendly name: New Group Policy Object
Policy OK
============================================================
Policy {640048BD-2875-4952-9C3D-4E5D38BB521E}
Friendly name: IE Proxy_ Jed Site
Policy OK
============================================================
Policy {6848ACAE-73D8-4F76-A59A-99C14ED56616}
Friendly name: Update time sync parameters & TimeZone values for nonDC
Policy OK
============================================================
Policy {6863DB6B-0560-4C31-9928-4663F9DF1F2B}
Friendly name: RF Client 9.0 Installation
Policy OK
============================================================
Policy {6AC1786C-016F-11D2-945F-00C04FB984F9}
Friendly name: Default Domain Controllers Policy
Policy OK
============================================================
Policy {6BDE4791-2B84-4555-9F6E-781FF688CC9C}
Friendly name: SAGIAOSType variable add
Policy OK
============================================================
Policy {6D1E9C4C-A0DB-4365-A9B0-8FFA4D1B202B}
Friendly name: Security Logging & Auditing
Policy OK
============================================================
Policy {6F8601FD-6A10-4DE1-8A1E-B8F76CC269B3}
Friendly name: New Proxy For Ryd
Policy OK
============================================================
Policy {83DC7387-2C5D-4CE8-A5E8-661BF56E24A1}
Friendly name: Prevent Conficker GPO
Policy OK
============================================================
Policy {86451220-1667-4226-871E-64BE1586B625}
Friendly name: Security Zone GPO (SAP EP SSO)
Policy OK
============================================================
Policy {86FD8E3D-7C6F-4C52-96AC-3AD3B16C1663}
Friendly name: Disable Proxy Settings - Riyadh
Policy OK
============================================================
Policy {9AA171E1-534C-4E8A-AB5E-11D8A4AFBCCE}
Friendly name: Investor User restriction
Policy OK
============================================================
Policy {9DB207D5-1B8A-4C24-8D58-4C07BDD3E342}
Friendly name: Servers logging, Auditing & Account lock out & Banner
Policy OK
============================================================
Policy {B71860F5-9C06-449C-B87B-D5C4F8587A5D}
Friendly name: OCS 2007 R2 Installation
Policy OK
============================================================
Policy {BAF3194A-B545-4828-B40E-04A3556E0A98}
Friendly name: IE Home Page
Policy OK
============================================================
Policy {CDBC55B5-61C8-4814-95F6-C7EF27D32A8C}
Friendly name: SCCM Client Agent Installation
Policy OK
============================================================
Policy {D1EBF1CC-FBEE-4C22-BC3C-2A29C414BB86}
Friendly name: MS Office 2007 Template to Whitelist Spam
Policy OK
============================================================
Policy {D74DB362-376E-4755-9AF5-E896A7EEE3C4}
Friendly name: Remote access
Policy OK
============================================================
Policy {DB5858E8-EE40-492A-8344-E4263085481D}
Friendly name: HijriAdjustment-decrement1
Policy OK
============================================================
Policy {DF1CAC42-E1CD-4D68-88F4-7ECEED7791F0}
Friendly name: MS Office 2007 Reg Value
Policy OK
============================================================
Policy {E9FF7AA0-8357-4E7C-A721-163E54F60BA6}
Friendly name: IE Proxy - Dam Site
Policy OK
============================================================
Policy {F5016DA4-EAE9-4CF1-B8A4-B98844B890BB}
Friendly name: Google secreen server
Policy OK
============================================================
Policy {F7170DAF-D7C2-4CFD-B43B-1513550DF8B8}
Friendly name: Enabling Logon Screen Saver for 30 min idle
Policy OK
============================================================
Policy {FE9088C0-BF04-4DCF-90CD-9BD66438E10D}
Friendly name: SAGIA Password Policy
Policy OK
============================================================

Errors found

Also now getting error on both DCs for win32time, it started after chnaging
the PDC role to pdc04 for some time yesterday

Do you have any clue?

Regards
Lal
--
----Server Management Team----
Re: Access Denied error while edit some of the GPOs in Windows 200 [message #419556 is a reply to message #419424] Thu, 25 March 2010 08:40 Go to previous message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Laljeev M" <news08@nospam.nospam> wrote in message news:20563F8B-B6D3-4D12-A29B-770A8DC4A4C9@microsoft.com...
> Hi Ace
>
> Thanks for your help
> 1) For netdom both the servers giving same output as below
>
> Schema owner pdc03.mycomp.com
>
> Domain role owner pdc03.mycomp.com
>
> PDC role pdc03.mycomp.com
>
> RID pool manager pdc03.mycomp.com
>
> Infrastructure owner pdc03.mycomp.com
>
> 2) Below are IPCONFIG output
>
> Host Name . . . . . . . . . . . . :pdc03
> Primary Dns Suffix . . . . . . . : mycomp.com
> Node Type . . . . . . . . . . . . : Unknown
> IP Routing Enabled. . . . . . . . : No
> WINS Proxy Enabled. . . . . . . . : No
> DNS Suffix Search List. . . . . . : mycomp.com
>
> Ethernet adapter Local Area Connection:
>
> Connection-specific DNS Suffix . : mycomp.com
> Description . . . . . . . . . . . : HP NC7781 Gigabit Server Adapter
> Physical Address. . . . . . . . . : 00-0B-CD-F0-27-C9
> DHCP Enabled. . . . . . . . . . . : No
> IP Address. . . . . . . . . . . . : 10.80.1.44
> Subnet Mask . . . . . . . . . . . : 255.255.252.0
> Default Gateway . . . . . . . . . : 10.80.1.1
> DNS Servers . . . . . . . . . . . : 10.80.1.44
> 10.80.1.45
>
> Host Name . . . . . . . . . . . . :pdc04
> Primary Dns Suffix . . . . . . . : mycomp.com
> Node Type . . . . . . . . . . . . : Unknown
> IP Routing Enabled. . . . . . . . : No
> WINS Proxy Enabled. . . . . . . . : No
> DNS Suffix Search List. . . . . . : mycomp.com
>
> Ethernet adapter Local Area Connection:
>
> Connection-specific DNS Suffix . : mycomp.com
> Description . . . . . . . . . . . : HP NC7781 Gigabit Server Adapter
> Physical Address. . . . . . . . . : 00-0D-9D-DC-3F-92
> DHCP Enabled. . . . . . . . . . . : No
> IP Address. . . . . . . . . . . . : 10.80.1.45
> Subnet Mask . . . . . . . . . . . : 255.255.252.0
> Default Gateway . . . . . . . . . : 10.80.1.1
> DNS Servers . . . . . . . . . . . : 10.80.1.45
> 10.80.1.44
> NetBIOS over Tcpip. . . . . . . . : Disabled
>
> 3) From yesterday in PDC03 we are getting errors (1030 & 1058) only on PDC03
> as below
>
> Windows cannot access the file gpt.ini for GPO
> cn={BEB01D8A-FE42-4B03-B96A-CF6F631782A0},cn=policies,cn=sys tem,DC=MYSAGIA,DC=GOV.
> The file must be present at the location
> < \\mycomp.com\SysVol\mycomp.com\Policies\{BEB01D8A-FE42-4B03- B96A-CF6F631782A0}\gpt.ini >. (Access is denied. ). Group Policy processing aborted.
>
> user SYSTEM
>
> after remiving this GPO, which is applied at site level, started getting
> another error as below for another GPO
>
> Windows cannot access the file gpt.ini for GPO
> cn={526D7832-E621-4717-956A-C4EA12787AC5},cn=policies,cn=sys tem,DC=MYSAGIA,DC=GOV.
> The file must be present at the location
> < \\mycomp.com\SysVol\mycomp.com\Policies\{526D7832-E621-4717- 956A-C4EA12787AC5}\gpt.ini >. (Access is denied. ). Group Policy processing aborted.
>
> user System
>
> 4) Below is Gpotool.exe output from pdc03
>
>
> Validating DCs...
> Available DCs:
> pdc03.mycomp.com
> pdc04.mycomp.com
> Searching for policies...
> Found 32 policies
> ============================================================
> Policy {15F97E0D-396B-4912-A930-0F26F133BA34}
> Friendly name: Add _techSupportDAM to local Admin except servers & syseng
> Policy OK
> ============================================================
> Policy {1B7E43CF-7B3C-4A19-B576-5A05D6C65873}
> Friendly name: Disable SUS client
> Policy OK
> ============================================================
> Policy {25894A7F-3983-47B7-83CB-AE4061193691}
> Friendly name: SCCM Agent Installtion - Logon Script
> Policy OK
> ============================================================
> Policy {31B2F340-016D-11D2-945F-00C04FB984F9}
> Error: Version mismatch on pdc03.mycomp.com, DS=262248, sysvol=262228
> Friendly name: Default Domain Policy
> Details:
> ------------------------------------------------------------
> DC: pdc03.mycomp.com
> Friendly name: Default Domain Policy
> Created: 5/4/2002 12:30:23 PM
> Changed: 3/25/2010 9:55:08 AM
> DS version: 4(user) 104(machine)
> Sysvol version: 4(user) 84(machine)
> Flags: 0 (user side enabled; machine side enabled)
> User extensions:
> [{3060E8D0-7020-11D2-842D-00C04FA372D4}{3060E8CE-7020-11D2-8 42D-00C04FA372D4}][{A2E30F80-D7DE-11D2-BBDE-00C04F86AE3B}{FC 715823-C5FB-11D1-9EEF-00A0C90347FF}]
> Machine extensions:
> [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957D-509E-11D1-A 7CC-0000F87571E3}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}{53D6 AB1D-2488-11D1-A28C-00C04FB94F17}][{827D319E-6EAC-11D2-A4EA- 00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}][{B1BE8D 72-6EAC-11D2-A4EA-00C04F79F83A}{53D6AB1B-2488-11D1-A28C-00C0 4FB94F17}{53D6AB1D-2488-11D1-A28C-00C04FB94F17}]
> Functionality version: 2
> ------------------------------------------------------------
> ------------------------------------------------------------
> DC: pdc04.mycomp.com
> Friendly name: Default Domain Policy
> Created: 5/4/2002 12:30:23 PM
> Changed: 3/25/2010 9:55:24 AM
> DS version: 4(user) 104(machine)
> Sysvol version: 4(user) 104(machine)
> Flags: 0 (user side enabled; machine side enabled)
> User extensions:
> [{3060E8D0-7020-11D2-842D-00C04FA372D4}{3060E8CE-7020-11D2-8 42D-00C04FA372D4}][{A2E30F80-D7DE-11D2-BBDE-00C04F86AE3B}{FC 715823-C5FB-11D1-9EEF-00A0C90347FF}]
> Machine extensions:
> [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957D-509E-11D1-A 7CC-0000F87571E3}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}{53D6 AB1D-2488-11D1-A28C-00C04FB94F17}][{827D319E-6EAC-11D2-A4EA- 00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}][{B1BE8D 72-6EAC-11D2-A4EA-00C04F79F83A}{53D6AB1B-2488-11D1-A28C-00C0 4FB94F17}{53D6AB1D-2488-11D1-A28C-00C04FB94F17}]
> Functionality version: 2
> ------------------------------------------------------------
> ============================================================
> Policy {42174B77-B2A7-43BC-973B-AAEB2CBBC353}
> Friendly name: modify IE home page to MYSAGIA & Bypass proxy enabled
> Policy OK
> ============================================================
> Policy {4DAF3660-DE8F-48A6-B267-9FFC8A9397F5}
> Friendly name: Windows XP SP2 Firewall settings
> Error: pdc03.mycomp.com - pdc04.mycomp.com sysvol mismatch
> Details:
> ------------------------------------------------------------
> DC: pdc03.mycomp.com
> Friendly name: Windows XP SP2 Firewall settings
> Created: 9/7/2004 5:50:50 AM
> Changed: 10/22/2008 12:10:52 PM
> DS version: 0(user) 26(machine)
> Sysvol version: 0(user) 26(machine)
> Flags: 0 (user side enabled; machine side enabled)
> User extensions: not found
> Machine extensions:
> [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957D-509E-11D1-A 7CC-0000F87571E3}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{80 3E14A0-B4FB-11D0-A0D0-00A0C90F574B}]
> Functionality version: 2
> ------------------------------------------------------------
> ------------------------------------------------------------
> DC: pdc04.mycomp.com
> Friendly name: Windows XP SP2 Firewall settings
> Created: 9/7/2004 5:50:50 AM
> Changed: 10/22/2008 12:11:36 PM
> DS version: 0(user) 26(machine)
> Sysvol version: 0(user) 26(machine)
> Flags: 0 (user side enabled; machine side enabled)
> User extensions: not found
> Machine extensions:
> [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957D-509E-11D1-A 7CC-0000F87571E3}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{80 3E14A0-B4FB-11D0-A0D0-00A0C90F574B}]
> Functionality version: 2
> ------------------------------------------------------------
> ============================================================
> Policy {526D7832-E621-4717-956A-C4EA12787AC5}
> Friendly name: Enable Remote access features
> Policy OK
> ============================================================
> Policy {5525A7FF-996B-4EEB-BC01-9D588B088E71}
> Friendly name: Add _techSupportRHO to local Admin except servers & syseng
> Policy OK
> ============================================================
> Policy {5D0C8DD1-CB4C-42FF-A0BB-AD336AED8E17}
> Friendly name: New Group Policy Object
> Policy OK
> ============================================================
> Policy {640048BD-2875-4952-9C3D-4E5D38BB521E}
> Friendly name: IE Proxy_ Jed Site
> Policy OK
> ============================================================
> Policy {6848ACAE-73D8-4F76-A59A-99C14ED56616}
> Friendly name: Update time sync parameters & TimeZone values for nonDC
> Policy OK
> ============================================================
> Policy {6863DB6B-0560-4C31-9928-4663F9DF1F2B}
> Friendly name: RF Client 9.0 Installation
> Policy OK
> ============================================================
> Policy {6AC1786C-016F-11D2-945F-00C04FB984F9}
> Friendly name: Default Domain Controllers Policy
> Policy OK
> ============================================================
> Policy {6BDE4791-2B84-4555-9F6E-781FF688CC9C}
> Friendly name: SAGIAOSType variable add
> Policy OK
> ============================================================
> Policy {6D1E9C4C-A0DB-4365-A9B0-8FFA4D1B202B}
> Friendly name: Security Logging & Auditing
> Policy OK
> ============================================================
> Policy {6F8601FD-6A10-4DE1-8A1E-B8F76CC269B3}
> Friendly name: New Proxy For Ryd
> Policy OK
> ============================================================
> Policy {83DC7387-2C5D-4CE8-A5E8-661BF56E24A1}
> Friendly name: Prevent Conficker GPO
> Policy OK
> ============================================================
> Policy {86451220-1667-4226-871E-64BE1586B625}
> Friendly name: Security Zone GPO (SAP EP SSO)
> Policy OK
> ============================================================
> Policy {86FD8E3D-7C6F-4C52-96AC-3AD3B16C1663}
> Friendly name: Disable Proxy Settings - Riyadh
> Policy OK
> ============================================================
> Policy {9AA171E1-534C-4E8A-AB5E-11D8A4AFBCCE}
> Friendly name: Investor User restriction
> Policy OK
> ============================================================
> Policy {9DB207D5-1B8A-4C24-8D58-4C07BDD3E342}
> Friendly name: Servers logging, Auditing & Account lock out & Banner
> Policy OK
> ============================================================
> Policy {B71860F5-9C06-449C-B87B-D5C4F8587A5D}
> Friendly name: OCS 2007 R2 Installation
> Policy OK
> ============================================================
> Policy {BAF3194A-B545-4828-B40E-04A3556E0A98}
> Friendly name: IE Home Page
> Policy OK
> ============================================================
> Policy {CDBC55B5-61C8-4814-95F6-C7EF27D32A8C}
> Friendly name: SCCM Client Agent Installation
> Policy OK
> ============================================================
> Policy {D1EBF1CC-FBEE-4C22-BC3C-2A29C414BB86}
> Friendly name: MS Office 2007 Template to Whitelist Spam
> Policy OK
> ============================================================
> Policy {D74DB362-376E-4755-9AF5-E896A7EEE3C4}
> Friendly name: Remote access
> Policy OK
> ============================================================
> Policy {DB5858E8-EE40-492A-8344-E4263085481D}
> Friendly name: HijriAdjustment-decrement1
> Policy OK
> ============================================================
> Policy {DF1CAC42-E1CD-4D68-88F4-7ECEED7791F0}
> Friendly name: MS Office 2007 Reg Value
> Policy OK
> ============================================================
> Policy {E9FF7AA0-8357-4E7C-A721-163E54F60BA6}
> Friendly name: IE Proxy - Dam Site
> Policy OK
> ============================================================
> Policy {F5016DA4-EAE9-4CF1-B8A4-B98844B890BB}
> Friendly name: Google secreen server
> Policy OK
> ============================================================
> Policy {F7170DAF-D7C2-4CFD-B43B-1513550DF8B8}
> Friendly name: Enabling Logon Screen Saver for 30 min idle
> Policy OK
> ============================================================
> Policy {FE9088C0-BF04-4DCF-90CD-9BD66438E10D}
> Friendly name: SAGIA Password Policy
> Policy OK
> ============================================================
>
> Errors found
>
> Also now getting error on both DCs for win32time, it started after chnaging
> the PDC role to pdc04 for some time yesterday
>
> Do you have any clue?
>
> Regards
> Lal
> --
> ----Server Management Team----
>


Well, at least both DCs know of each others roles.

To fix the time service, you have to reset the new PDCe DC to become the time server. Here are the steps:

=============
Transferring the PDC Emulator Role
If you have moved the Windows 2003 PDC Emulator role to another DC, or if you seized the role to another DC because the original PDC Emulator is no longer available, reset the time source and hierarchy:

On the new PDCEmulator (where 'peers' is an Internet time source such as 192.5.41.41):
w32tm /config /manualpeerlist:peers /syncfromflags:manual /reliable:yes /update

On the old PDCEmulator:
w32tm /config /syncfromflags:domhier /update

After that run the following on both DCs:
net stop w32time
net start w32time

The "peers" can be a text file, or direct input, allowing you to set the time source, either DNS name such as (time.windows.com, or an ip address for a reliable time source. I normally use 192.5.41.41.

On your edge firewall, make sure UDP port 123 traffic is allowed inbound from the time source.

Fi you need a reliable external time source, read the following link for a complete list of them around the internet:

The pool.ntp.org project is a big virtual cluster of timeservers striving to provide reliable and easy to use NTP service for millions of clients without putting strain on the big popular timeservers.
http://www.pool.ntp.org
===========

After you've taken care of that, check to see if the GPO and any other errors are recorded.

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among responding engineers, and to help others benefit from your resolution.

Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

If you feel this is an urgent issue and require immediate assistance, please contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers.
Previous Topic:replication problem
Next Topic:Active Directory and DFS
Goto Forum:
  


Current Time: Wed Jan 17 05:38:51 MST 2018

Total time taken to generate the page: 0.05530 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software